I was recently doing some cleanup in assets for my reports and I noticed that some assets have environmental score modifiers configured. Example for fastify:

The result is that the same vulnerability reported against different assets (e.g. express vs fastify) will end up with a different CVSS score, despite having all the base score factors being the same.
Is this on purpose?
@nodejs/security-wg do you have insight into this aspect?
@MarcinHoppe can you share an example of a vulnerability having different environmental score in different assets?
In general, the CVSS specification highlights that the environmental score should be used to capture the importance of the vulnerable asset to a user鈥檚 organization based on complementary/alternative security controls in place. As such I don't think we should be assigning environmental score as we are unaware of the environment in which the package is used. This is something to be used by the consumers of the packages.
Doesn't sound like this is on purpose, especially if it's just fastify then it's probably a one off misconfig that took place.
Doesn't sound like this is on purpose, especially if it's just fastify then it's probably a one off misconfig that took place.
This was exactly my thought. It was probably done for the asset instead of a single report by accident. Makes not much sense as we have the triage buckets high and low (maybe it was used for some sort of applying this to the environmental score).
@MarcinHoppe if that makes sense to you too, could you update that entry to correct it?
@esarafianou Please see https://hackerone.com/bugs?report_id=869695 and https://hackerone.com/bugs?report_id=869684. The same vector for the base score and different final scores.
This was originally brought up by @ChALkeR.
@DanielRuf @lirantal I can definitely take a sweep through all the assets and remove the environmental modifiers.
I will leave this here for one more day in case someone chimes in with a different opinion. If nobody objects, I will clean the modifiers for all assets.
I cleaned this up for all the assets. Closing.