Confidentiality (MC)

This metric measures the impact on the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability.

Confidentiality refers to limiting information access and disclosure to only authorized users or the keepers of the secret, as well as preventing access by, or disclosure to, unauthorized ones.

This metric may at first seem often not applicable to some Web3 scopes, such as smart contract attacks, but a good example where the Confidentiality impact can be crucial is in vulnerabilities targeting ZK-proof systems. In case the attack is able to reveal the private inputs, then the Confidentiality metric can be scored as "High". Additionally, the Confidentiality Requirement should also be scored as "High" in that case.

Another example can be a vulnerability that somehow reveals/leaks the encrypted data in a FHE-based system.