| name | Vulnerability Triage & Prioritization |
| description | Assess vulnerability severity using CVSS scoring, classify vulnerability types (CVE vs compliance), detect false positives, and prioritize remediation workflows. Use when analyzing vulnerability data, calculating risk scores, or determining remediation priority. |
| allowed-tools | Read, Bash |
Vulnerability Triage & Prioritization
Purpose: Systematic approach to assessing, classifying, and prioritizing vulnerabilities for remediation.
When to use: Analyzing vulnerability scan results, calculating risk scores, determining remediation priority, or building vulnerability management workflows.
1. CVSS Scoring System (Industry Standard)
CVSS v3.1 Components
Base Score (0.0-10.0): Intrinsic vulnerability characteristics Temporal Score: Changes over time (exploit availability, patches) Environmental Score: Organization-specific context
Base Score Metrics
| Metric | Values | Description |
|---|---|---|
| Attack Vector (AV) | Network/Adjacent/Local/Physical | How attacker accesses vulnerability |
| Attack Complexity (AC) | Low/High | Difficulty of exploit |
| Privileges Required (PR) | None/Low/High | Authentication level needed |
| User Interaction (UI) | None/Required | Does user need to participate? |
| Scope (S) | Unchanged/Changed | Does exploit affect other components? |
| Confidentiality Impact (C) | None/Low/High | Data exposure impact |
| Integrity Impact (I) | None/Low/High | Data modification impact |
| Availability Impact (A) | None/Low/High | Service disruption impact |
Severity Ratings
0.0 = None
0.1-3.9 = Low
4.0-6.9 = Medium
7.0-8.9 = High
9.0-10.0 = Critical
CVSS Calculation
Tools:
- NIST Calculator: https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator
- Python library:
pip install cvss
Example:
from cvss import CVSS3
vector = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
cvss = CVSS3(vector)
print(cvss.base_score) # 9.8 (Critical)
print(cvss.severity) # "CRITICAL"
2. Vulnerability Classification
CVE-Based Vulnerabilities
Characteristics:
- Assigned CVE ID:
CVE-YYYY-NNNNN(e.g., CVE-2024-12345) - Software/code vulnerabilities
- CVSS scoring applies
- Tracked in NVD (National Vulnerability Database)
Remediation: Patches, upgrades, workarounds
Compliance Findings (Non-CVE)
Characteristics:
- Configuration issues (hardening, policies)
- Missing security controls
- Policy violations (STIG, CIS, NIST)
- May or may not have CVE ID
Severity: Pass/Info/Low/Medium/High/Critical (framework-dependent) Remediation: Configuration changes, policy updates
Distinguishing Criteria
| Indicator | Type |
|---|---|
| Has CVE ID | CVE-based vulnerability |
| PluginID >= 1000000 (Tenable) | Compliance finding |
| No CVE, config issue | Compliance finding |
| Software bug/flaw | CVE-based vulnerability |
3. False Positive Detection
Common False Positive Patterns
- Software Not Installed: Vulnerability reported but software not actually present
- Incorrect Version Detection: Banner grabbing vs actual version mismatch
- Wrong Platform: Vulnerability applies to different OS/platform
- Compensating Controls: Firewall rules, network segmentation prevent exploit
- Specific Configuration Required: Vulnerability requires config not present
Validation Steps
1. Verify affected software is actually installed
└─ Check package manager, process list, file system
2. Confirm version is vulnerable
└─ Not just version string match (e.g., backported patches)
3. Check if exploit path exists
└─ Network access, authentication requirements
4. Verify compensating controls
└─ Firewall rules, WAF, network segmentation
5. Cross-reference multiple sources
└─ NVD, vendor advisories, security bulletins
Documentation
- Track false positive decisions with justification
- Update scanner rules to prevent recurrence
- Maintain false positive database for future reference
4. Remediation Prioritization Framework
Priority Factors (Weighted)
| Factor | Weight | Description |
|---|---|---|
| CVSS Score | 40% | Base severity (9.0+ = Critical) |
| Exploit Availability | 25% | Public exploit = High priority |
| Asset Criticality | 20% | Production > Staging > Dev |
| Attack Surface | 10% | Internet-facing > Internal |
| Data Sensitivity | 5% | PII/PHI > General data |
Priority Levels
P0 (Critical):
- CVSS 9.0+, public exploit, internet-facing
- SLA: Patch within 24 hours
- Example: Remote code execution on public web server
P1 (High):
- CVSS 7.0-8.9, exploit available, critical asset
- SLA: Patch within 7 days
- Example: SQL injection on production database
P2 (Medium):
- CVSS 4.0-6.9, no known exploit, important asset
- SLA: Patch within 30 days
- Example: XSS on internal application
P3 (Low):
- CVSS < 4.0, internal asset, no exploit
- SLA: Patch within 90 days or next maintenance window
- Example: Information disclosure on development server
5. Risk Scoring Formulas
Basic Risk Score
Risk = CVSS Score × Asset Criticality × Exposure Factor
Where:
- Asset Criticality: 1.0 (low) to 3.0 (critical)
- Exposure Factor: 1.0 (internal) to 2.0 (internet-facing)
Example:
CVSS: 8.5
Asset: Production database (criticality 3.0)
Exposure: Internal only (1.0)
Risk = 8.5 × 3.0 × 1.0 = 25.5
Advanced Risk Score (Multi-Factor)
Risk = (CVSS × 0.4) + (Exploit × 0.25) + (Criticality × 0.20) +
(Exposure × 0.10) + (Data × 0.05)
Scale to 0-100
Implementation:
def calculate_risk_score(
cvss: float,
has_exploit: bool,
asset_criticality: float, # 1.0-3.0
is_external: bool,
has_sensitive_data: bool
) -> float:
"""Calculate comprehensive risk score (0-100)."""
cvss_weighted = cvss * 4.0 # Scale to 0-40
exploit_weighted = 25 if has_exploit else 0
criticality_weighted = (asset_criticality / 3.0) * 20 # Scale to 0-20
exposure_weighted = 10 if is_external else 0
data_weighted = 5 if has_sensitive_data else 0
return (cvss_weighted + exploit_weighted + criticality_weighted +
exposure_weighted + data_weighted)
# Example
risk = calculate_risk_score(
cvss=8.5,
has_exploit=True,
asset_criticality=3.0,
is_external=True,
has_sensitive_data=True
)
# Result: 94.0 (Critical priority)
6. Compliance Severity Mapping
STIG/DISA Severity Codes
| Code | Severity | Description | CVSS Equivalent |
|---|---|---|---|
| CAT I | High | Direct threat, easy exploit | 7.0-10.0 |
| CAT II | Medium | Moderate risk | 4.0-6.9 |
| CAT III | Low | Low risk | 0.1-3.9 |
CIS Benchmark Levels
| Level | Description | Impact |
|---|---|---|
| Level 1 | Basic security | Minimal impact |
| Level 2 | Defense-in-depth | May impact functionality |
Compliance to Numeric Score Mapping
Compliance Severity → CVSS-like Score
Critical → 9.0-10.0
High → 7.0-8.9
Medium → 4.0-6.9
Low → 0.1-3.9
Info → 0.0
Pass → N/A (not a finding)
7. Triage Workflow
Step-by-Step Process
Step 1: Initial Assessment
├─ Review vulnerability details (CVE, description, affected software)
├─ Check CVSS score and severity rating
└─ Identify vulnerability type (CVE vs compliance)
Step 2: Validation
├─ Verify software version is vulnerable
├─ Check for false positive indicators
└─ Confirm exploit path exists
Step 3: Context Analysis
├─ Identify affected assets and their criticality
├─ Check network exposure (internal/external)
└─ Review compensating controls
Step 4: Prioritization
├─ Calculate risk score
├─ Assign priority level (P0-P3)
└─ Set remediation SLA
Step 5: Assignment
├─ Route to appropriate team (infrastructure, application, security)
├─ Provide remediation guidance
└─ Set tracking ticket with priority
8. Remediation Strategies
Primary Strategies
1. Patching
- Primary remediation for CVE vulnerabilities
- Test patches in non-production first
- Schedule maintenance windows for critical systems
2. Workarounds
- Disable affected feature/service
- Apply configuration changes
- Network segmentation
3. Compensating Controls
- Firewall rules (block attack vector)
- Web application firewall (WAF)
- Intrusion detection/prevention (IDS/IPS)
- Access controls (restrict authentication)
4. Risk Acceptance
- When remediation cost > risk
- Document decision and justification
- Re-evaluate periodically (quarterly review)
Decision Tree
Can patch be applied safely?
├─ YES → Apply patch (preferred)
└─ NO → Can workaround be applied?
├─ YES → Apply workaround
└─ NO → Can compensating control mitigate risk?
├─ YES → Implement compensating control
└─ NO → Risk acceptance required
9. Vulnerability Age Tracking
Age Calculation
Age (days) = Current Date - First Detected Date
Aging Thresholds
| Age Range | Category | Action |
|---|---|---|
| < 30 days | Fresh | Normal priority |
| 30-90 days | Moderate | Track closely |
| 90-180 days | Stale | Escalate to management |
| > 180 days | Critical Age | Executive report + plan |
Age-Based Escalation
Critical vuln > 30 days → Escalate to management
High vuln > 90 days → Executive report
Any vuln > 180 days → Remediation plan required
10. Metrics & Reporting
Key Metrics
Operational Metrics:
- Open vulnerability count (by severity)
- Mean Time To Remediate (MTTR) by severity
- Vulnerability aging distribution
- SLA compliance rate (% patched within SLA)
- False positive rate
Trend Metrics:
- New vulnerabilities per week
- Remediation velocity (closed per week)
- Risk score trend (30/90 days)
Executive Dashboard
Critical Indicators:
- Risk score trend (last 30/90 days)
- Top 10 vulnerable assets
- Critical vulnerabilities open > SLA
- Remediation velocity
- P0/P1 aging distribution
11. Exploit Intelligence
Exploit Databases
| Source | URL | Use Case |
|---|---|---|
| Exploit-DB | https://www.exploit-db.com/ | Public exploits |
| Metasploit | Search modules | Penetration testing tools |
| CISA KEV | Known Exploited Vulns catalog | Active exploitation in wild |
| VulnDB | Commercial | Comprehensive exploit intel |
Exploit Availability Check
def check_exploit_availability(cve_id: str) -> str:
"""Check if public exploit exists for CVE."""
# Check CISA KEV (Known Exploited Vulnerabilities)
if cve_id in cisa_kev_catalog:
return "Active Exploitation (CISA KEV)"
# Check Metasploit
if has_metasploit_module(cve_id):
return "Public Exploit (Metasploit)"
# Check Exploit-DB
if has_exploit_db_entry(cve_id):
return "Public Exploit (Exploit-DB)"
return "No Known Exploit"
Priority Impact:
- Active exploitation → Immediate P0 priority
- Public exploit available → P1 priority minimum
- No known exploit → Prioritize by CVSS + context
12. Best Practices
Operational Best Practices
- Automate Initial Triage: Use rules engine for classification
- Continuous Validation: Re-assess as new intelligence emerges
- Track Trends: Monitor vulnerability introduction rate
- Collaborate: Involve asset owners in decisions
- Document Exceptions: Maintain risk acceptance records
- Regular Reviews: Quarterly review of aging vulnerabilities
- Threat Modeling: Prioritize based on actual threat landscape
Common Pitfalls (Avoid These)
❌ Relying only on CVSS score (ignoring context) ❌ Not validating false positives ❌ Ignoring compensating controls ❌ Missing exploit availability checks ❌ Not tracking vulnerability age ❌ Treating all "Critical" equally ❌ Accepting risk without documentation
Quick Reference Card
Severity Quick Guide
| CVSS | Severity | SLA | Example |
|---|---|---|---|
| 9.0-10.0 | Critical | 24h | RCE on internet-facing server |
| 7.0-8.9 | High | 7d | SQL injection on production DB |
| 4.0-6.9 | Medium | 30d | XSS on internal application |
| 0.1-3.9 | Low | 90d | Info disclosure on dev server |
Triage Checklist
- CVSS score calculated or verified
- Vulnerability type classified (CVE vs compliance)
- False positive check completed
- Exploit availability confirmed
- Asset criticality assessed
- Risk score calculated
- Priority assigned (P0-P3)
- Remediation strategy selected
- SLA set and tracked
- Assignment routed to appropriate team
Risk Score Formula (Quick)
Risk = CVSS × Asset_Criticality × Exposure_Factor
Use this for quick prioritization when detailed scoring not needed.
See Also
- testing-standards - Validation testing for remediation
- mongodb-m32rimm-patterns - Storing vulnerability data
- python-style - Coding standards for triage automation