| Metric | Description |
| Blackbox Testing (BT) | In Blackbox testing, the attacker has limited or no access to internal system details such as the workings, design, or implementation details of the target system. The attacker can only operate with the knowledge available from external observations, such as inputs and outputs of the system. This approach often involves more guesswork and experimentation to identify and exploit vulnerabilities which limits the attacker’s ability to conduct precise and targeted attacks. |
| Whitebox Testing (WT) | In Whitebox testing, the attacker has full access to detailed information about the target system, including its internal architecture, source code, design, and implementation details. It typically includes access to the source code, architecture diagrams, algorithms, and any other relevant information. This level of access enables the attacker to conduct a thorough analysis and precise exploitation of vulnerabilities, as they have a comprehensive understanding of the system’s inner workings. |
| Uncertain (UC) | Assigning this value indicates there is insufficient information to choose one of the other values. However, reports of impacts indicate a vulnerability is present. That is, the cause of the vulnerability is unknown or may differ on the cause or impacts of the vulnerability. |