Patching security vulnerabilities is fundamental to the resiliency and safety of modern software. But the systems we rely on to handle them—CVEs for identification and CVSS for prioritization—are limited by design. They often strip away nuance and ignore business context, resulting in vague, opaque tickets tossed over the wall for developers to fix.
The volume of vulnerabilities doesn't help either. When a team is assigned 100 HIGH or CRITICAL vulnerability tickets, which ones come first? This prioritization problem leads to frustration, slows velocity, and overwhelms teams. The adage "If everything is critical, nothing is critical" captures this perfectly.
In this talk, we'll break down
- Why CVE and CVSS aren't enough on their own, and why developers and security are often misaligned when it comes to prioritization. More importantly, we'll explore a practical approach that's transparent and useful for both engineering and security teams.
- How to incorporate signals like environmental context, public exposure, and real-world exploitation trends or threat actor targeting to determine what truly matters.
By the end, you'll have a better mental model for triaging security flaws, and a few questions to ask the next time a vague vulnerability ticket lands in your inbox.