New Year Sale 2026! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

CompTIA PT0-003 Exam - Topic 3 Question 25 Discussion

Actual exam question for CompTIA's PT0-003 exam
Question #: 25
Topic #: 3
[All PT0-003 Questions]

[Reporting and Communication]

Which of the following are valid reasons for including base, temporal, and environmental CVSS metrics in the findings section of a penetration testing report? (Select two).

Show Suggested Answer Hide Answer
Suggested Answer: B, D

The Common Vulnerability Scoring System (CVSS) provides a standardized way to evaluate the severity of security vulnerabilities. It includes:

Base Metrics: Inherent characteristics of a vulnerability (e.g., attack vector, complexity).

Temporal Metrics: Factors that change over time (e.g., exploit availability).

Environmental Metrics: Customization based on an organization's environment.

Correct answers:

Helping to prioritize remediation based on threat context (Option B):

CVSS scores help organizations prioritize vulnerabilities based on real-world impact.

The Environmental metric allows customization based on business risk.


Providing information on attack complexity and vector (Option D):

CVSS Base scores define attack complexity (e.g., low vs. high) and attack vector (e.g., network vs. physical).

This helps security teams understand how a vulnerability can be exploited.

Incorrect options:

Option A (Providing remediation details): CVSS does not include remediation steps; it only scores severity.

Option C (Proof-of-concept exploit links): CVSS scores are not based on specific exploits.

Option E (Compliance information): CVSS focuses on technical risk, not regulatory compliance.

Option F (Adding risk levels to assets): CVSS evaluates individual vulnerabilities, not asset risk classification.

by Mi at Jul 05, 2025, 10:21 AM

Limited Time Offer

25%

Off

Get Premium PT0-003 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Joanna
2 months ago
F seems irrelevant in this context, not sure why it's included.
upvoted 0 times
...
Kirk
2 months ago
D makes sense, but E feels a bit off to me.
upvoted 0 times
...
Marylin
2 months ago
A is also super important for remediation.
upvoted 0 times
...
Shonda
3 months ago
Wait, C isn't a valid reason? That's surprising!
upvoted 0 times
...
Golda
3 months ago
Definitely B, helps with prioritization!
upvoted 0 times
...
Jaime
3 months ago
I practiced a question similar to this, and I think providing information on attack complexity could be relevant, but I’m not confident about the second choice.
upvoted 0 times
...
Lavonne
3 months ago
I feel like helping to prioritize remediation is definitely one of the reasons, but I might be mixing it up with compliance information.
upvoted 0 times
...
Shenika
4 months ago
I remember that CVSS metrics can provide details on attack complexity, but I don't recall if that's a valid reason for the report findings.
upvoted 0 times
...
Elmira
4 months ago
I think including metrics helps prioritize remediation based on threat context, but I'm not sure about the other option.
upvoted 0 times
...
Lindsey
4 months ago
Easy peasy. The CVSS metrics provide a standardized way to assess the severity and context of the vulnerabilities. Including them in the report gives the client the info they need to make informed decisions on remediation.
upvoted 0 times
...
Wilda
4 months ago
I'm feeling a little lost on this one. What's the difference between the CVSS metrics again? I'll need to review my notes to make sure I understand how to apply them properly in the report.
upvoted 0 times
...
Lili
4 months ago
Okay, I've got this. The base and temporal metrics give details on the vulnerability itself, while the environmental metrics help relate it to the specific environment. That'll help the client understand the real-world impact and prioritize fixes accordingly.
upvoted 0 times
...
Heike
4 months ago
Hmm, I'm a bit unsure about this one. I know the CVSS is important, but I'm not sure exactly how the different metrics factor in. I'll have to think it through carefully.
upvoted 0 times
...
Lou
5 months ago
This one seems pretty straightforward. The CVSS metrics would help provide context on the vulnerabilities and how to prioritize remediation.
upvoted 0 times
...
Johnna
6 months ago
What, you guys don't want to see the cool exploits? Just kidding, I know B and D are the way to go. Gotta love that threat context, am I right?
upvoted 0 times
Carylon
5 months ago
User 1: Yeah, threat context is key for prioritizing.
upvoted 0 times
...
...
Deeann
7 months ago
Haha, yeah Paris, including the exploit code? That's just asking for trouble! I'll go with B and D as well, can't go wrong with that.
upvoted 0 times
Sherrell
5 months ago
User 1: Yeah, including the exploit code is risky.
upvoted 0 times
...
...
Paris
7 months ago
I agree with Quentin, B and D make the most sense. But I'm a little confused why C is even an option - including the actual exploits seems like a bad idea to me.
upvoted 0 times
Elvera
5 months ago
User 2: I think including the actual exploits could be risky, it might help attackers more than it helps defenders.
upvoted 0 times
...
Helga
7 months ago
User 1: B and D are important for prioritizing and understanding the severity of vulnerabilities.
upvoted 0 times
...
...
Lizbeth
7 months ago
I think F is crucial as it adds risk levels to each asset, helping in decision-making.
upvoted 0 times
...
Quentin
7 months ago
B and D are definitely the right choices here. The CVSS metrics give us the info we need to prioritize remediation based on the real-world threat context.
upvoted 0 times
Leota
5 months ago
It's important to have information on attack complexity and vector to understand the risks involved.
upvoted 0 times
...
Frederic
5 months ago
I agree, including base, temporal, and environmental CVSS metrics helps us prioritize based on threat context.
upvoted 0 times
...
Gilma
7 months ago
It's important to provide information on attack complexity and vector to understand the risk levels of each asset.
upvoted 0 times
...
Hillary
7 months ago
I agree, including base, temporal, and environmental CVSS metrics helps us prioritize based on threat context.
upvoted 0 times
...
...
Craig
7 months ago
I believe D is also important as it provides information on attack complexity.
upvoted 0 times
...
Wai
8 months ago
I agree with Sherita, those metrics can help prioritize remediation efforts.
upvoted 0 times
...
Sherita
8 months ago
I think A and B are valid reasons for including those metrics.
upvoted 0 times
...

Save Cancel