A Vulnerability Score On Its Own Is Useless

Aug 14, 2019
Kenna Security

Share with Your Network

An increasingly popular feature of modern vulnerability risk management platforms is to include a “score” for each vulnerability listed in the system. The purpose of the vulnerability score, of course, is to provide security teams with some understanding of relative urgency so that they can prioritize the remediation efforts of some vulnerabilities over others. But do these scores really help, or do they simply lull security professionals into a false sense of intelligence, believing that they have the context necessary to determine which vulnerabilities pose the most risk to the organization?

While having some type of vulnerability score can be more useful than not having one at all, it’s important to understand a few things about what a useful vulnerability score does and does not look like. First, the scores communicated by most vulnerability risk management platforms effectively have nothing to do with risk. As I highlighted in my last blog, Make Your Vulnerability Management Efforts Count, many vulnerability risk management vendors claim to deliver vulnerability scoring in their tools, but they’re really just taking the Common Vulnerability Scoring System (CVSS) score and passing it off as their own. And, as I highlighted in that blog, CVSS is a static scoring system that doesn’t include real-world risk in its assessment, so it’s really a poor indicator of risk and doesn’t provide any additional context to help you determine the relative criticality of each vulnerability in your environment.

To be useful, the vulnerability score has to be based on real-world, real-time risk assessments, as well as additional security information from throughout the enterprise’s environment, to provide the context necessary to be truly relevant.

“Good Enough” Isn’t

Even when the vulnerability score takes all of this into account, it’s essential to realize that it only provides a very small portion of what’s required to make appropriate decisions on which vulnerabilities pose the greatest risk, and therefore should be remediated first. That’s because even the best scoring algorithm, considering all relevant context and based in data science, is really just that—a score. While it certainly provides an indication of relative importance, the vulnerability score can’t single out any specific vulnerability to tell you what to fix first. Instead, it can really just help narrow down the consideration set to help you focus. 

Consider this: If you have 2,000,000 vulnerabilities and a vulnerability scoring system of zero to 100, you obviously can’t have a unique score for each of them. In all likelihood, you’ll have well over 100,000 vulnerabilities that are assigned a score of 100. In a tool where that’s the sole guidance that’s provided, you’d be directed to simply “fix all the 100s,” which obviously won’t help you much. While it certainly seems less intimidating than millions, how long would it take your team to remediate 100,000? And where do you start? That is, if you can only get to 20 of them this week, which are the most critical 20 that will reduce the most risk? A vulnerability score alone can’t answer this important question.

 A Better Way

Don’t get me wrong, there’s definitely value in having a risk-based vulnerability score. But there’s exponentially more value when you pair that score with remediation intelligence that leverages data science to automate the analysis of all data to determine which vulnerabilities pose the greatest risk to the organization, and whose remediation will have the maximum impact on risk score reduction. 

By taking into account the number of instances of each vulnerability in your environment, the potential severity, and the assets that are threatened as a result of each vulnerability, remediation intelligence can granularly prioritize your remediation efforts based on what will have the greatest impact on your overall risk score for the least amount of effort. So rather than simply narrowing things down to the “top 100,000” vulnerabilities, as in the example above, remediation intelligence can tell you which specific vulnerability to fix first for any asset or group of assets. This benefits your teams by maximizing their efficiency and effectiveness while reducing the greatest amount of risk to the organization.


So next time a vulnerability risk management vendor touts their vulnerability scoring system, ask them to provide some additional details. 

  1. What are they basing that score on? 
  2. Does it employ full context by leveraging real-world, real-time risk assessments and additional security information from throughout your environment? 
  3. And, more importantly, is the score the primary value-add, or is the score just the first step in a larger set of intelligence that directs you on how to best to use your limited security and IT resources? 

These are critical considerations, because the answers can mean the difference between having to sift through 100,000 vulnerabilities today, or just focus on the one that has the greatest impact.

To learn more about how to go beyond simple vulnerability scores to maximize your efficiency and effectiveness, dig in on how Kenna.VM adds the proper context to give users a prioritized list of which vulnerabilities to fix first. 

Read the Latest Content

Research Reports

Prioritization to Prediction Volume 5: In Search of Assets at Risk

The fifth volume of the P2P series explores the vulnerability risk landscape by looking at how enterprises often view vulnerabilities.

5 Things Every CIO Should Know About Vulnerability Management

If you view vulnerability management (VM) as just a small part of your operation, it might be time to take another look.  Managing vulnerabilities is...



Get Started Using the Exploit Prediction Scoring System (EPSS).

Cyentia Institute’s Chief Data Scientist and Founder Jay Jacobs gives tips on how to get started using the Exploit Prediction Scoring System (EPSS). You...

© 2022 Kenna Security. All Rights Reserved. Privacy Policy.