3 Comments

Amazing stuff James. I'm at Sysdig and we offer "In Use Vulnerabilities" (see here: https://sysdig.com/solutions/vulnerability-management/)

Is this another valid prioritisation method? That the vuln is loaded in memory? We do the Exploit and Fixable too right now, but I'd love your POV on the in use piece. Thanks.

Expand full comment

Great article into operationalizing vulnerability mgmt. One nit: You didn’t mention “mitigations”, just patching availability; the situation is not binary. It’s possible that a vendor patch isn’t available but a workaround / compensating control is possible — that needs to be factored into the calculation too. Especially for a critical vuln, easily exploitable and externally accessible.

Expand full comment

Great post on vulnerability prioritization! Just a few thoughts to share:

1. EPSS probably shouldn't be listed as a base score (under #1), as its score is derived from all the intelligence items you list in #2, in addition to the base CVSS score

2. KEV is useful for prioritization, but only eventually. Items usually get added to KEV weeks or months after a vulnerability has been getting exploited in the wild. By the time a CVE pops up in KEV, it might be too late to avoid a successful attack.

Expand full comment