Too Many Vulnerability Prioritization Standards: Use This One Instead
9:00 AM - 9:45 AM

We outline the current state of prioritization methods, assess them formally and informally, and introduce several new innovative approaches to vulnerability prioritization. This session begins by discussing the changing vulnerability landscape and covering historical prioritization targets and methods. From there, we introduce the most basic vulnerability prioritization technique: categorization. This evolves into an evaluation of the multiple CVSS scoring standards. We then tackle two CISA supported approaches, including SSVC (Stakeholder-Specific Vulnerability Classification) another categorical methodology that gives prescriptive guidance to security teams, and the Known Exploited Vulnerabilities (KEV) list. We then review current forward-thinking models:’s EPSS (Exploit Prediction Scoring System) as well as the concept of a Social Risk Score. Finally, we argue the need for further innovation and also provide a demonstration which shows that using more prioritization standards is not necessarily a bad thing. By using a well-tuned prioritization pipeline, you can funnel your workload down to the most essential and appropriate items to reduce risk for your organization.