Which CVSS metric group is primarily used to compute the initial risk score for a vulnerability?

The initial risk score is derived from the Base metrics because they capture the vulnerability’s inherent characteristics, independent of time or environment. Base metrics cover Exploitability factors—attack vector, attack complexity, privileges required, and user interaction—and Impact factors—consequences to confidentiality, integrity, and availability. These together form the Base Score, which represents the intrinsic severity of the vulnerability in a baseline context. Temporal metrics and Environmental metrics are then used to adjust that baseline score. Temporal metrics account for factors that change over time, such as exploit maturity or remediation status, while Environmental metrics tailor the score to a specific environment, considering factors like the importance of affected assets and mitigations in place. Therefore, the group used to compute the initial risk score is the Base metrics.