Showing results for 
Show  only  | Search instead for 
Did you mean: 
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Newcomer I

criticality based patching

for our patching process we currently define criticality (if applicable) based on the


CVSSv3 score

system is publicly accessible

optional - is the vulnerability being exploited ?


would like to hear from others if they do something different ..


and also if they do this for every vuln discovered by your scanning tool ?

5 Replies
Community Champion

We prioritize primarily based on VPR score, which is similar to CVSS but better incorporates the exploitedness and has the prerequisite that one uses Nesus.  


That said, we also prioritize systems that are publicly accessible.

Advocate II

You've pretty much nailed it with those criteria, although you may want to consider any regulatory/legal aspect to being sure certain systems are secure too.

Community Champion


@orionquest the fixing of vulnerabilities in your infrastructure should factor in multiple criteria, including:-


  1. Vulnerability scores - Open standard (CVSS) or system (VPR)
  2. System criticality - Set by you when you manage assets
  3. Organization policies - The policies defined in your organization
  4. Regulations - The requirements set by regulatory authorities


For example, should scanner detects a vulnerability with a very high CVSS sore on a system that isn't critical to business or is used for testing & properly isolated from my production environment, I won't prioritize fixing it. On the other hand, if it's an important production system that happens to be published, I'll be concerned about vulnerabilities with even a low CVSS score.


This can be affected by organization policies; say, a policy mandating that ALL systems belonging to vendor be kept patched to ensure proper support.


Finally, all of this can be superseded if I have to comply with the requirements of the regulatory authority.



Shannon D'Cruz,
Community Champion

HI All


IBM does something similar, using IBM X-Force Red Security Services - it does the traditional vulnerability scanning as well as more:


The team uses prioritisation of vulnerabilities via automation, Machine Learning, and Augmented Intelligence. Vulnerability ranking is based on if the vulnerability is being weaponised by criminals and the value of the vulnerable asset.


It provides a portal, which the client can access to run reports and remediation messages to the appropriate support staff etc.


It can run with a variety of vendor solutions, as the organisation prefers etc.


Plus as @Shannon states, it has to be run by the overarching regulations, i.e. PCI DSS quarterly scans etc etc.





Newcomer I

Yes, My team also considers these parameters in order to priortise. From the raw Tenable scans, we recalibrate upward or downward the severity rating. 


If external facing - yes, upwards, for med and low findings, and if exploitability  is yes