Understanding vulnerability prioritization

Severity is based on the vulnerability's CVSS score. An open industry standard, CVSS uses a formula of several access and impact metrics to calculate the severity of the vulnerability.

This table shows the tags we've assigned corresponding to CVSS scores.

Active ransomware are vulnerabilities that have been used in known ransomware campaigns. The severe impacts of ransomware incidents make these vulnerabilities a high priority.

The Cybersecurity & Infrastructure Security Agency (CISA) defines ransomware as "an ever-evolving form of malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable. Malicious actors then demand ransom in exchange for decryption. Ransomware actors often target and threaten to sell or leak exfiltrated data or authentication information if the ransom is not paid."

Explore CISA's page for Known Exploited Vulnerabilities Catalog to learn more.

Exploit probability scores are based on EPSS, which rates the probability that a vulnerability will be exploited in the wild. In these cases, there are known instances of threat actors taking advantage of the vulnerability. EPSS scores can look low out of context, but security experts recommend giving higher priority to all vulnerabilities with an exploit probability above the 85th percentile. This indicates a significant risk that that vulnerability will be exploited.

Explore FIRST's page for The EPSS Model to learn more.

This table shows the tags we've assigned to each level of exploit probability.

IAST confirmed are vulnerabilities found in your custom code that are confirmed to actually be exploitable even if threat actors may not be aware of the exploit.