Building a Vulnerability Management Program: CVE Tracking, Prioritization & Patching
The Vulnerability Flood
The number of reported vulnerabilities is growing exponentially, and the trend is accelerating:
| Year | New CVEs Published | Critical/High | Change |
|---|---|---|---|
| 2020 | 18,362 | 5,108 | — |
| 2021 | 20,174 | 5,891 | +10% |
| 2022 | 25,227 | 7,142 | +25% |
| 2023 | 28,961 | 8,314 | +15% |
| 2024 | 33,137 | 9,852 | +14% |
| 2025 (projected) | 38,000+ | 11,000+ | +15% |
Source: NIST NVD, CVE.org
The Hard Truth: You cannot patch every vulnerability. No organization has the resources to fix 33,000+ CVEs per year across their entire infrastructure. The answer is risk-based prioritization — focus on the vulnerabilities that matter most to your specific environment.
Risk-Based Prioritization
CVSS Is Not Enough
CVSS (Common Vulnerability Scoring System) scores measure theoretical severity, not real-world risk. A CVSS 9.8 vulnerability in a library you don't use is zero risk. A CVSS 6.5 vulnerability in your internet-facing authentication service is critical.
Factors for Real Risk Assessment:
| Factor | Question | Weight |
|---|---|---|
| CVSS Score | How severe is the vulnerability? | Medium |
| EPSS Score | What's the probability of exploitation? | High |
| CISA KEV | Is it actively exploited in the wild? | Very High |
| Asset Criticality | Is the affected system business-critical? | Very High |
| Exposure | Is it internet-facing or internal-only? | High |
| Compensating Controls | Are there mitigations in place? | Medium |
| Exploit Availability | Is there a public exploit? | High |
EPSS: Exploit Prediction Scoring System
EPSS predicts the probability that a vulnerability will be exploited in the wild within the next 30 days.
| EPSS Score | Interpretation | Action |
|---|---|---|
| > 0.7 (70%) | Very likely to be exploited | Patch within 24 hours |
| 0.3 - 0.7 | Moderate exploitation probability | Patch within 7 days |
| 0.1 - 0.3 | Low exploitation probability | Patch within 30 days |
| < 0.1 (10%) | Unlikely to be exploited | Patch in next maintenance cycle |
CISA KEV (Known Exploited Vulnerabilities Catalog)
CISA's KEV catalog lists vulnerabilities that are confirmed actively exploited in the wild. If a vulnerability is on this list, patch immediately.
Vulnerability Management SLAs
| Severity | Criteria | SLA | Escalation |
|---|---|---|---|
| P0: Emergency | CISA KEV + internet-facing OR active exploitation against you | 24 hours | Immediate exec notification |
| P1: Critical | CVSS ≥ 9.0 + exploitable + internet-facing | 72 hours | CISO notification |
| P2: High | CVSS 7.0-8.9 OR EPSS > 0.3 | 14 days | Team lead notification |
| P3: Medium | CVSS 4.0-6.9 AND low EPSS | 30 days | Sprint planning |
| P4: Low | CVSS < 4.0 AND no known exploit | 90 days | Backlog |
Vulnerability Scanning Strategy
| Scanner Type | Coverage | Frequency | Tools |
|---|---|---|---|
| Infrastructure | Servers, network devices, cloud resources | Weekly | Nessus, Qualys, Rapid7 |
| Application (DAST) | Web applications, APIs | Weekly on staging | OWASP ZAP, Burp Enterprise |
| Dependency (SCA) | Libraries, packages | Every build | Snyk, npm audit, Trivy |
| Container | Docker images, registries | Every build + daily registry scan | Trivy, Grype, Anchore |
| Cloud | AWS/Azure/GCP misconfigurations | Continuous | Prowler, ScoutSuite, Wiz |
| IaC | Terraform, K8s manifests | Every PR | Checkov, tfsec |
Automated Patching
What Should Be Auto-Patched?
| Category | Auto-Patch? | Rationale |
|---|---|---|
| OS security updates | Yes (non-breaking) | Well-tested, low risk |
| Minor dependency updates | Yes (with tests) | Semver minor = backward compatible |
| Critical CVE patches | Yes (with rollback) | Speed > caution for active exploits |
| Major version upgrades | No (manual review) | Breaking changes likely |
| Custom application patches | No (manual) | Requires code review and testing |
Automated Patching Pipeline
# Dependabot configuration for automated updates
# .github/dependabot.yml
version: 2
updates:
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "daily"
open-pull-requests-limit: 10
labels:
- "dependencies"
- "automated"
# Auto-merge minor and patch updates
# Major updates require manual review
Metrics and Reporting
| KPI | Target | Formula |
|---|---|---|
| Mean Time to Remediate (Critical) | < 72 hours | Avg time from discovery to fix |
| SLA compliance rate | > 95% | Vulns fixed within SLA / total vulns |
| Vulnerability density | Decreasing trend | Open vulns / total assets |
| Scan coverage | > 99% | Scanned assets / total assets |
| Age of oldest unpatched critical | < 14 days | Calendar days since discovery |
| False positive rate | < 10% | False positives / total findings |
Further Reading
- CISA KEV Catalog — Actively exploited vulnerabilities
- FIRST EPSS — Exploit prediction scores
- NIST NVD — National Vulnerability Database
- Shift-Left Security — Catching vulnerabilities earlier
- SAST vs DAST vs SCA — Security testing tool comparison
Advertisement