Which CVSS v3.0 metric group is optionally computed by the end-user organizations to adjust the score?

The Environmental metric group within CVSS (Common Vulnerability Scoring System) v3.0 is optionally computed by the end-user organizations to adjust the base score to reflect the importance of the affected IT asset to their organization and the security measures they have in place.

The Environmental metrics allow organizations to customize the CVSS score based on their specific security requirements, tailored mitigations, and how the vulnerability impacts their particular environment. This can result in a modified score that is more representative of the risk posed by the vulnerability in the organization’s unique context.

“Maturity” and “Scope” are not metric groups within CVSS; “Scope” is part of the Base metric group, and “Maturity” does not exist in the CVSS framework. The Temporal metric group, while it also adjusts the base score, reflects the current state of exploitability and remediation of the vulnerability, and is not typically computed by the end-user organization.