These are the characteristics of the vulnerability that can change over a period of time, but do not change in the environment the systems reside in. These are typically assigned by vulnerability bulletin analysts, security product vendors, or application vendors.

The temporal metric group consists of three sections, which are as follows:

• Exploitability: Determines and measures the level of difficulty to exploit the vulnerability
• Remediation level: Determines the level that the vulnerability may be remediated:
  • Official fix
  • Temporary fix
  • Workaround
  • Unavailable
  • Not defined
• Report confidence: Measures the credibility of the source where the vulnerability was reported:
  • Unconfirmed
  • Uncorroborated
  • Confirmed
  • Not defined