In vulnerability analysis, adjudication is the process of evaluating and ranking vulnerabilities in terms of the potential threat they may pose to the organization. It also implies that some action can and will be taken to minimize this threat. Adjudication is useful because it is one of the most important factors that will influence how you prioritize your exploitation efforts, with the goal of maximizing the test's efficiency.

Note: Do not confuse adjudication with mitigation.

Although you are certainly free to use your own system for scoring threat levels, it's usually a good idea to rely on an industry standard like the Common Vulnerability Scoring System (CVSS) to do this for you. The CVSS is an open standard that defines how vulnerability data can be quantified while taking into account the degrees of risk to different types of systems or information. It does this by using three core metric groups (base, temporary, and environmental) to describe vulnerabilities in multiple ways. Scoring in CVSS (version 3) is numerical, and a range of numbers is also given a rating.

Rating

Score Range

None

0.0

Low

0.1–3.9

Medium

4.0–6.9

High

7.0–8.9

Critical

9.0–10.0

The CVSS is leveraged by several industry-recognized vulnerability databases. The U.S. government's National Vulnerability Database (NVD), which provides a list of vulnerabilities in the Common Vulnerabilities and Exposures (CVE) database, pairs each vulnerability with a CVSS score.

CVSS example of a SQL Injection
CVE-2005-4416 : SQL injection vulnerability in index.php in TML CMS 0.5 allows remote attackers to execute arbitrary SQL commands via th
CVE-2005-4416 : SQL injection vulnerability in index.php in TML CMS 0.5 allows remote attackers to execute arbitrary SQL commands via the id parameter.