Risk score

Each application with a completed assessment has a risk score that summarizes its current open findings as a single number. XBOW shows the score on the applications list and on each application’s page, so you can compare applications and see where to focus first.

The score is a relative signal for triage, not a calibrated measure of business risk. Use it to compare applications, then open an application to see the findings behind the number.

How the risk score is calculated

The risk score is a count of an application’s open findings, weighted by severity:

Risk score = (4 × critical) + (3 × high) + (2 × medium) + (1 × low)

Each open finding adds its severity weight to the total. Informational findings have a weight of 0, so they never change the score.

Findings are removed from the total score when you mark them as fixed or intended, or when XBOW retests and confirms a fix. The score therefore reflects your current exposure rather than the original assessment findings.

How severity is set

A finding’s severity comes from its CVSS score, using the standard qualitative ratings defined by FIRST. XBOW shows FIRST’s None rating (0.0) as Informational:

CVSS scoreSeverity
9.0–10.0Critical
7.0–8.9High
4.0–6.9Medium
0.1–3.9Low
0.0Informational

For more about CVSS, see the CVSS v3.1 specification from FIRST. For the vulnerability classes XBOW reports and how they map to CWEs, see Vulnerability classification.

Score bands and color indicators

XBOW color-codes the score into bands so you can gauge an application’s risk at a glance:

ScoreBandColor
0–9LowGreen
10–49MediumOrange
50+HighRed

Was this helpful?