Vulnerability Prioritizer

Stop fixing CVEs by CVSS score alone. Prioritize vulnerabilities using real-world exploit data (EPSS), CISA Known Exploited Vulnerabilities catalog, asset criticality, network reachability, and exploit maturity — then produce a ranked remediation plan that focuses effort where risk is highest.

Use when: "prioritize these CVEs", "which vulnerabilities matter most", "triage scan results", "what should we patch first", "vulnerability report from scanner", "risk-based prioritization", or after receiving scan output from Snyk, Trivy, Grype, Qualys, or Nessus.

Commands

1. prioritize — Risk-Rank Vulnerability List

Step 1: Parse Scanner Output

Accept input from common scanners:

# Trivy JSON output
trivy image --format json $IMAGE 2>/dev/null

# Grype JSON output
grype $IMAGE -o json 2>/dev/null

# npm audit
npm audit --json 2>/dev/null

# pip-audit
pip-audit --format json 2>/dev/null

Extract for each vulnerability:

• CVE ID
• CVSS score (v3 preferred)
• Affected package and version
• Fixed version (if available)
• Severity label

Step 2: Enrich with EPSS Data

# Fetch EPSS scores (Exploit Prediction Scoring System)
# EPSS API: probability of exploitation in next 30 days
curl -s "https://api.first.org/data/v1/epss?cve=CVE-2024-1234,CVE-2024-5678" | \
  python3 -c "
import json, sys
data = json.load(sys.stdin)
for entry in data.get('data', []):
    cve = entry['cve']
    epss = float(entry['epss'])
    pctl = float(entry['percentile'])
    risk = 'CRITICAL' if epss > 0.5 else 'HIGH' if epss > 0.1 else 'MEDIUM' if epss > 0.01 else 'LOW'
    print(f'{cve}: EPSS={epss:.4f} (percentile {pctl:.2f}) — {risk} exploit likelihood')
"

Step 3: Check CISA KEV (Known Exploited Vulnerabilities)

# Download CISA KEV catalog
curl -s "https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json" | \
  python3 -c "
import json, sys
kev = json.load(sys.stdin)
kev_cves = {v['cveID'] for v in kev['vulnerabilities']}
# Check your CVE list against KEV
target_cves = sys.argv[1].split(',') if len(sys.argv) > 1 else []
for cve in target_cves:
    if cve in kev_cves:
        print(f'🚨 {cve} is in CISA KEV — ACTIVELY EXPLOITED, patch immediately')
" "CVE-2024-1234,CVE-2024-5678"

Step 4: Assess Asset Criticality

Ask about or infer the asset context:

• Internet-facing? Publicly reachable services get a 2× risk multiplier
• Contains sensitive data? PII, credentials, financial data → 2× multiplier
• Business criticality? Revenue-generating, auth, payment → 1.5× multiplier
• Blast radius? Shared libraries, base images, common services → 1.5× multiplier

Step 5: Calculate Composite Risk Score

Risk Score = CVSS_normalized × EPSS_weight × asset_multiplier × exploit_maturity

Where:
- CVSS_normalized = CVSS / 10 (0-1 range)
- EPSS_weight = 1 + (EPSS × 10)  (EPSS 0.5 → 6× weight)
- asset_multiplier = product of applicable multipliers
- exploit_maturity:
  - In CISA KEV = 5.0
  - Public exploit (Metasploit, ExploitDB) = 3.0
  - PoC available = 2.0
  - Theoretical = 1.0

Step 6: Generate Prioritized Report

# Vulnerability Prioritization Report

## Summary
- Total vulnerabilities: 142
- After prioritization: 12 critical, 23 high, 45 medium, 62 low
- Remediation effort: ~3 days for critical+high

## 🚨 Critical Priority (patch within 24h)
| Rank | CVE | CVSS | EPSS | KEV | Package | Risk Score | Fix |
|------|-----|------|------|-----|---------|-----------|-----|
| 1 | CVE-2024-1234 | 9.8 | 0.87 | ✅ | openssl 3.0.1 | 48.2 | Upgrade to 3.0.15 |
| 2 | CVE-2024-5678 | 8.1 | 0.45 | ✅ | log4j 2.14.1 | 36.5 | Upgrade to 2.21.0 |

## ⚠️ High Priority (patch within 1 week)
...

## De-prioritized (CVSS high but low real risk)
| CVE | CVSS | EPSS | Reason |
|-----|------|------|--------|
| CVE-2024-9999 | 9.1 | 0.001 | No known exploit, internal-only service, no sensitive data |

2. compare — Track Vulnerability Trends

Compare current scan results against a previous baseline:

• New vulnerabilities since last scan
• Vulnerabilities that were fixed
• Vulnerabilities that got worse (new exploit published, added to KEV)
• Mean time to remediate (MTTR) by severity

3. sla — Generate Remediation SLAs

Based on industry standards and the organization's risk tolerance:

• Critical (KEV + EPSS > 0.5): 24 hours
• High (EPSS > 0.1 or CVSS ≥ 9.0): 7 days
• Medium (EPSS > 0.01 or CVSS ≥ 7.0): 30 days
• Low: 90 days or next release cycle

Track SLA compliance and flag overdue items.

4. reachability — Analyze Exploit Reachability

For each vulnerability, determine if the vulnerable code path is actually reachable:

# Check if vulnerable function is called (example for npm)
# Find which module has the CVE
npm ls --json 2>/dev/null | python3 -c "
import json, sys
tree = json.load(sys.stdin)
# Walk dependency tree to find usage
"

# Check import chain
rg "require\(['\"]vulnerable-package['\"]" --type js
rg "from ['\"]vulnerable-package['\"]" --type ts

Mark as reachable (fix urgently), transitively reachable (fix soon), or phantom (dependency exists but code path never executes — deprioritize).