Skip to content

The Challenge of Using CVSS to Prioritize Your Remediation

In this video, we will discuss one of the largest vectors of risk - vulnerabilities; particularly, one of the often-overlooked issues with CVSS - speed of scoring.

CVSS scores take an average of 19 days to be assigned to a CVE after the vulnerability is announced. Threat actors typically will create a POC exploit code within the first 24 hours after a vulnerability has been announced, you are giving them an unnecessary advantage if you’re using CVSS to prioritize your remediation. You need to take the ‘assume breach’ approach.

When you consider the average dwell time is roughly 200 days, you must assume that someone is already in your network. A new vulnerability and associated POC code may provide that opportunity, creating immediate risk to your internal assets too.

Cybersixgill’s DVE Score helps address this issue as we are monitoring the threat activity, chatter, POC exploit codes, and more associated with the CVE to score the risk of an exploit immediately rather than augmenting the CVSS score.