CRVE Vulnerability Exposure Calculator

CRVE is one of three transforms in the STORM Vulnerability Assessment (SVA) family. Use it when a vulnerability cannot be scored with CVSS and a plain percentage estimate would hide too much judgment. CRVE forces a structured decomposition into four factors, each anchored so the resulting 0–1 exposure value is defensible rather than intuitive.

The Four Axes

C — Capability required

How easy is the vulnerability to exploit, in terms of attacker skill? The scale rises with concern: nation-state only is the least concerning (few attackers qualify); any user is the most concerning (no capability barrier at all).

R — Resources required

How few tools, time, or infrastructure does exploitation need? Distinct from capability — a skilled attacker without the required hardware is still gated. Again the scale rises with concern: nation-state resources is least concerning; nothing special is most concerning.

V — Visibility

How observable is the vulnerability from an attacker's point of view? Public-facing weaknesses drive more opportunistic exploitation; deeply buried ones require the attacker to already be inside.

E — Effects on confidentiality, integrity, availability

If the exploit succeeds, how much is lost on each dimension? The worst of the three carries into the exposure value, consistent with STORM's worst-case assumption.

Calculator

Select a level on each axis. The exposure value updates live. Use the result as a Vulnerability Transform input in a STORM assessment.

How the Exposure Value Is Computed

All axis values are normalized to the 0–1 range. The exposure value is the geometric mean of three components:

• Discoverability = V normalized. A vulnerability that cannot be found will not be exploited.
• Exploitability = (C + R)/2. With C and R both scaled so that higher means fewer barriers, the average directly reflects how freely the vulnerability can be exploited.
• Impact = max(E_c, E_i, E_a). The worst-case consequence across the three CIA dimensions.

The final exposure is √ⁿ (discoverability × exploitability × impact) — the cube root of the product. The geometric-mean form has two useful properties: it returns 0.5 when every component is at its middle value (rather than 0.125 for a raw product), and it returns 0 whenever any single component is 0, which correctly captures the idea that a vulnerability that cannot be discovered, exploited, or have any impact is not an exposure at all.

The resulting exposure is a value between 0 and 1 suitable for use as the v_i input to the STORM aggregation. The full mathematical treatment of the aggregation appears in the STORM/RSK white paper.

When to Use Which SVA Transform

• CVSSA — whenever the finding carries a CVSS score. Zero subjective input; automatic.
• CRVE (this calculator) — complex vulnerabilities without a CVSS score: process failures, administrative gaps, supply- chain weaknesses, physical-security issues.
• SEM — quick estimates where even structured decomposition is overkill. Use sparingly; SEM is prone to inflation without anchoring.

Related Tools and Reading

• HAM533 Threat Calculator — STORM Threat Assessment transform.
• STORM methodology — where this exposure value is consumed.
• ATRA — AI-assisted population of all four STORM transforms.
• STORM/RSK White Paper (PDF) — full mathematical foundations.

Simplified Total Risk Management, STORM, ATRA, StrongCOR, RAPID, and RSK are trademarks of Andrew T. Robinson.