In exploitability metrics, which criterion describes whether multiple authorities must be involved in an exploit?

• A. Attack complexity.
• B. Privileges required.
• C. User interaction.
• D. Scope.

Answer: (D)

Scope in exploitability metrics captures whether exploiting a vulnerability can affect resources beyond the initial security boundary of the vulnerable component, potentially requiring involvement from multiple authorities or security domains. If exploitation stays within the same boundary, the scope remains limited; if it can propagate to other components or systems, additional authorities must coordinate, increasing the scope. The described criterion focuses on cross-boundary impact and multi-authority involvement, which is exactly what scope measures. Attack complexity is about how hard the attack is to perform, not who must be involved. Privileges required relates to the attacker’s needed access level beforehand, and user interaction concerns whether user participation is needed.