Modified Scope (MS)
Does a successful attack impact a component/protocol/system other than the vulnerable target? If so, the Score increases and the Confidentiality, Integrity and Availability metrics should be scored relative to the impacted component.
This is a frequent situation for smart contract vulnerabilities, where a vulnerability in one smart contract (or protocol) can lead to compromises in other contracts/protocols as well. In such cases, the Modified Score should be marked as "Changed".
Another example can be a vulnerability found in a price oracle. The vulnerability may not affect the target vendor's assets but can have a critical impact on a very large number of projects that use the oracle.
In case the Modified Scope is Changed, the Confidentiality, Integrity, and Availability metrics should be scored, accounting for the changed scope's impact.
Last updated