Overview
Not all vulnerabilities are created equal. This framework helps you prioritize remediation efforts to maximize security improvement with available resources.
Step 1: Categorize Severity
| Category | CVSS Range | Initial Priority |
|---|---|---|
| Critical | 9.0 - 10.0 | Immediate |
| High | 7.0 - 8.9 | 24-72 hours |
| Medium | 4.0 - 6.9 | 1-2 weeks |
| Low | 0.1 - 3.9 | Next cycle |
Step 2: Apply Contextual Factors
Adjust priority based on:
- Asset Criticality: Is the affected system business-critical?
- Data Sensitivity: Does it process PII, financial, or regulated data?
- Exposure: Is it internet-facing or internal only?
- Exploitability: Is there a public exploit available?
- Active Exploitation: Is it being exploited in the wild?
Step 3: Priority Matrix
| Exploitability | High Asset Value | Low Asset Value |
|---|---|---|
| Active exploitation | P1 - Immediate | P1 - Immediate |
| Public exploit exists | P1 - Immediate | P2 - 24-72 hours |
| Proof of concept exists | P2 - 24-72 hours | P3 - 1-2 weeks |
| No known exploit | P3 - 1-2 weeks | P4 - Next cycle |
Step 4: Document and Track
- Log all vulnerabilities in a tracking system
- Assign ownership and deadlines
- Track remediation progress
- Verify fixes through retesting
- Document exceptions and risk acceptances