CVSS 3.0 permits us to capture metrics for a vulnerability in a component, which also impacts resources beyond its means. Scope refers to what parts of the vulnerable component are affected by the vulnerability or what associations are impacted by exploiting the vulnerability. The scope is segregated by authorization authorities. A vulnerability might affect components within the same authorization authority or within different authorization authorities. For example, a vulnerability in a virtual machine allowing the attacker to modify files in the base (host) system would include two systems in scope, while a vulnerability in Microsoft Word, allowing the attacker to modify system host files, would come under single authorization authority: