CompTIA PenTest+ (PT0-003) — Question 121

Which of the following are valid reasons for including base, temporal, and environmental CVSS metrics in the findings section of a penetration testing report? (Choose two.)

Answer options

• A. Providing details on how to remediate vulnerabilities
• B. Helping to prioritize remediation based on threat context
• C. Including links to the proof-of-concept exploit itself
• D. Providing information on attack complexity and vector
• E. Prioritizing compliance information needed for an audit
• F. Adding risk levels to each asset

Correct answer: B, D

Explanation

The correct answers, B and D, highlight the importance of contextualizing vulnerabilities for effective remediation and understanding the complexities of potential attacks. Options A, C, E, and F do not directly relate to the role of CVSS metrics in informing risk assessment and remediation strategies.