Prioritisation of vulnerabilities

  • Asset categorisation — how critical is the system that has vulnerabilities?

  • Adjudication — making a decision on whether the vulnerability discovered is a false positive. Review and validate.

  • Prioritisation of vulnerabilities — if a vulnerability exploits confidentiality, integrity, or availability, then that vulnerability would typically take priority.

Common Vulnerability Scoring System (CVSS)


  • CVSS has been around for a long time.

  • CVSS is popular in organisations.

  • CVSS is a free framework to adopt and recommended by organisations such as NIST.


  • CVSS was never designed to help prioritise vulnerabilities, instead, just assign a value of severity.

  • CVSS heavily assesses vulnerabilities on an exploit being available. Only 20% of all vulnerabilities have an exploit available (Tenable., 2020).

  • Vulnerabilities rarely change scoring after assessment despite the fact that new developments such as exploits may be found.

Vulnerability Priority Rating (VPR)


  • VPR is a modern framework that is real-world.

  • VPR considers over 150 factors when calculating risk.

  • VPR is risk-driven and used by organisations to help prioritise patching vulnerabilities.

  • Scorings are not final and are very dynamic, meaning the priority a vulnerability should be given can change as the vulnerability ages.


  • VPR is not open-source like some other vulnerability management frameworks.

  • VPR can only be adopted separate from a commercial platform.

  • VPR does not consider the CIA triad to the extent that CVSS does; meaning that risk to the confidentiality, integrity and availability of data does not play a large factor in scoring vulnerabilities when using VPR.

Real Risk Score (RRS)

Real Risk Score (RRS) may offer a good alternative. It enriches CVSS data to provide a more precise risk score.