A security expert finds a weak spot in a computer program that lets bad guys take full control and run their own secret commands. What is the general name for this type of dangerous weak spot, and what special number system is used to give it a score for how bad it is and how easy it is for a bad guy to use?

The general name for a weak spot in a computer program that allows unauthorized users to execute their own commands is a vulnerability. This type of vulnerability, specifically when it grants full control, is often referred to as a remote code execution vulnerability or a privilege escalation vulnerability, depending on the precise mechanism. The special number system used to score how severe a vulnerability is and how easy it is for an attacker to exploit it is called the Common Vulnerability Scoring System (CVSS). CVSS assigns a numerical score between 0.0 and 10.0 to each vulnerability, with higher scores indicating greater severity. This score is derived from a set of metrics that assess various aspects of the vulnerability. For instance, it considers how the vulnerability is accessed (e.g., over a network versus requiring physical access), the complexity of exploiting it (e.g., does it require specific conditions or special privileges), and the impact on the system's confidentiality (e.g., unauthorized access to data), integrity (e.g., unauthorized modification of data), and availability (e.g., the system becomes unusable). These metrics are combined using a defined formula to produce a base score, which represents the inherent qualities of the vulnerability. Think of it like a danger rating for a software flaw. A vulnerability that allows an attacker to run any command on a system without needing any special access and with minimal effort would receive a high CVSS score, indicating it's extremely serious.