What is AIVSS (the AI Vulnerability Scoring System) and how does it work?

What AIVSS is

• AIVSS (Artificial Intelligence Vulnerability Scoring System) is an open OWASP standard that extends CVSS v4.0 so vulnerabilities in autonomous, agentic AI systems get a defensible 0–10 severity score plus an explanatory AIVSS Vector.
• It exists because a classic technical-severity score does not reflect how an agent's autonomy, tool use, memory, identity, and multi-agent reach amplify a vulnerability's real-world blast radius.
• The CVSS v4.0 Base Score remains the technical baseline; AIVSS layers agentic amplification on top of it. Treat AIVSS as the prioritization engine that quantifies threats named by taxonomies like the OWASP Agentic AI Top 10 and located by MAESTRO.

Why CVSS alone is insufficient for agentic AI

• CVSS scores a static flaw; agents act. CVSS assumes a human (or fixed code path) drives exploitation. An autonomous agent can discover, chain, and execute an exploit pathway on its own initiative, with no operator in the loop.
• Tool use breaks the "scope" model. CVSS's notion of scope cannot express that one prompt-level issue, via dynamic tool calling (shells, APIs, file systems, code interpreters), becomes real-world impact far beyond the model's own process.
• Persistent memory makes impact durable. A poisoned context can survive across sessions and re-trigger later — CVSS has no concept of a vulnerability that compounds over time.
• Multi-agent topologies create cascading blast radius. Trust chains between agents let one compromise propagate; CVSS scores a single component, not a propagating fault.
• Non-determinism defeats reproducibility assumptions. Intermittent, hard-to-reproduce exploits are systematically under-rated by a model built for deterministic software.
• Opacity defeats attribution. Black-box reasoning makes attacks hard to diagnose and trace — a risk dimension CVSS never had to model.

The 10 Agentic Risk Amplification Factors (AARFs)

Each factor is rated 0.0 (None / Not Present), 0.5 (Partial / Limited), or 1.0 (Full / Unconstrained). They fall into four groups.

Core Agency and Goal-Seeking Behavior

• Autonomy of Action — ability to take actions without direct human command; higher autonomy means the agent can execute the exploit pathway itself.
• Goal-Driven Planning — capacity to create and run multi-step plans, letting a single injected instruction expand into a chained attack.
• Self-Modification — potential to alter its own logic, code, or behavior, letting an exploit persist or escalate beyond the original payload.

Environmental Interaction and Perception

• Dynamic Tool Use — use of external tools (APIs, file systems, code interpreters, shells), extending blast radius far beyond the agent's own code.
• Persistent Memory — use of stored memory to inform future actions, letting poisoned context persist across sessions and re-trigger later.
• Contextual Awareness — sensitivity to external inputs and context, making the agent more manipulable via crafted inputs (e.g. indirect prompt injection from documents or the web).

Systemic and Relational Risks

• Dynamic Identity — ability to shift roles or permissions at runtime, enabling privilege escalation and impersonation.
• Multi-Agent Interactions — capacity to interact with other agents, creating trust-chain and cascading-failure exposure where one compromised agent infects others.

Inherent Model Characteristics

• Non-Determinism — inherent unpredictability that makes exploits intermittent and hard to test, detect, and reproduce.
• Opacity & Reflexivity — the black-box nature of internal reasoning, making attacks hard to diagnose, attribute, and trace.

The canonical formula (v0.8)

The AIVSS Score is built from four quantities — the CVSS base, the raw factor sum, a threat multiplier, and a mitigation multiplier:

• CVSS_Base — standard CVSS v4.0 Base Score (0–10) for the underlying technical vulnerability, using the normal CVSS v4.0 vector (AV/AC/AT/PR/UI/VC/VI/VA/SC/SI/SA).
• Factor_Sum — the sum of the 10 AARF scores, range 0.0–10.0. (This raw sum is Factor_Sum, not AARS — see the caution below.)
• Risk_Gap = 10 − CVSS_Base — the severity headroom remaining above the technical floor.
• ThM (Threat Multiplier) — reflects exploit maturity (see table).
• Mitigation_Factor — reflects deployed controls (see table).

The canonical equations are:

• AARS = Risk_Gap × (Factor_Sum / 10) × ThM
• AIVSS = (CVSS_Base + AARS) × Mitigation_Factor

In words: the AARS (Agentic AI Risk Score) is the computed uplift that fills part of the gap from the CVSS floor toward 10, scaled by how present the agentic factors are and by exploit maturity. It is then added to the CVSS base and the whole is scaled by deployed mitigations.

Critical caution — do not confuse Factor_Sum with AARS. AARS is not the raw sum of the 10 factors. The raw 0–10 sum is Factor_Sum; AARS is the derived uplift Risk_Gap × (Factor_Sum/10) × ThM. Conflating the two is the single most common AIVSS scoring error and produces wrong final scores.

Deprecated formula — do not use. An earlier averaging form, AIVSS = ((CVSS_Base + AARS) / 2) × ThM, is outdated and incorrect. There is no division-by-2 / 50-50 averaging in the canonical formula, and ThM is applied inside the AARS uplift, not as a final multiplier on the whole score. The final multiplier is the Mitigation_Factor, not ThM.

Threat Multiplier (ThM) and Mitigation Factor

Threat Multiplier — exploit maturity:

• Attacked (exploited in the wild) → 1.00
• Proof-of-Concept (default) → 0.97
• Unreported → 0.50

Mitigation Factor — deployed controls:

• None / weak → 1.00
• Partial → 0.83
• Strong → 0.67

Worked example (Tool Misuse)

• Inputs: CVSS_Base = 9.4, Factor_Sum = 8.5, ThM = 0.97 (PoC).
• Risk_Gap = 10 − 9.4 = 0.6.
• AARS = 0.6 × (8.5 / 10) × 0.97 ≈ 0.5.
• With no/weak mitigation (Mitigation_Factor = 1.00): AIVSS = (9.4 + 0.5) × 1.00 = 9.9 → Critical.
• Under strong mitigation (0.67): AIVSS = (9.4 + 0.5) × 0.67 ≈ 6.6 → Medium.

Note that the 8.5 here is Factor_Sum, not AARS — feeding 8.5 in as "AARS" is exactly the mistake that yields a wrong score.

How to apply the score in practice

• Step 1 — Score the technical vulnerability. Compute a standard CVSS v4.0 Base Score and record its vector. This is identical to scoring non-AI software.
• Step 2 — Score the agentic context. Walk the 10 AARFs, rating each 0.0 / 0.5 / 1.0 against the actual deployed agent (its real autonomy, tools, memory, identity, and multi-agent exposure). Sum them to get Factor_Sum.
• Step 3 — Set exploit maturity (ThM). Use Attacked (1.00) only with evidence of in-the-wild exploitation; otherwise default to Proof-of-Concept (0.97); use Unreported (0.50) when no exploit is known.
• Step 4 — Set the Mitigation Factor. Choose 1.00 / 0.83 / 0.67 based on the controls actually deployed for this vulnerability (least-privilege tools, human-in-the-loop gates, memory provenance, sandboxing, strong agent identity, logging/tracing).
• Step 5 — Compute AARS, then AIVSS. Apply AARS = Risk_Gap × (Factor_Sum/10) × ThM, then AIVSS = (CVSS_Base + AARS) × Mitigation_Factor. Map the 0–10 result to your severity bands and prioritize.
• Step 6 — Drive remediation with the factors. The high-rated AARFs point directly at controls: autonomy/planning → approval gates, step budgets, circuit breakers; tool use → least-privilege allow-listing and sandboxing; memory → provenance and TTL scoping; identity → non-spoofable agent IDs and continuous authorization; multi-agent → zero-trust between agents and blast-radius containment; opacity → tracing and decision provenance. Re-scoring with stronger mitigations should visibly lower the AIVSS via the Mitigation_Factor.

Important caveats on accuracy

• AIVSS Vector format is unverified. A vector form such as (CVSS:[score]/AARS:[score]) is not confirmed as canonical in published sources; several state no vector format is specified. Treat any specific vector syntax as unverified rather than authoritative.
• The "Unreported" ThM is the confirmed value (0.50). An earlier ~0.91 figure for Unreported could not be confirmed and conflicts with the reproduced 0.50; the 0.97 PoC default and 1.00 Attacked values are confirmed.
• AIVSS is a maturing standard (v0.8-era). Anchor scoring to the latest official OWASP AIVSS publication and calculator before relying on exact multipliers in audit evidence.

Source brief: C:\Users\kenhu\hackathon\.detmp\frameworks_brief.json (key aivss).