Great article into operationalizing vulnerability mgmt. One nit: You didn’t mention “mitigations”, just patching availability; the situation is not binary. It’s possible that a vendor patch isn’t available but a workaround / compensating control is possible — that needs to be factored into the calculation too. Especially for a critical vuln, easily exploitable and externally accessible.
Great article into operationalizing vulnerability mgmt. One nit: You didn’t mention “mitigations”, just patching availability; the situation is not binary. It’s possible that a vendor patch isn’t available but a workaround / compensating control is possible — that needs to be factored into the calculation too. Especially for a critical vuln, easily exploitable and externally accessible.