Vulnerability Prioritizer

---

name: vulnerability-prioritizer description: Prioritize vulnerabilities beyond CVSS scores using EPSS (Exploit Prediction Scoring), CISA KEV, asset criticality, reachability analysis, and exploit maturity. Produce risk-ranked remediation plans from scan outputs.

---

Vulnerability Prioritizer

Stop fixing CVEs by CVSS score alone. Prioritize vulnerabilities using real-world exploit data (EPSS), CISA Known Exploited Vulnerabilities catalog, asset criticality, network reachability, and exploit maturity — then produce a ranked remediation plan that focuses effort where risk is highest.

Use when: "prioritize these CVEs", "which vulnerabilities matter most", "triage scan results", "what should we patch first", "vulnerability report from scanner", "risk-based prioritization", or after receiving scan output from Snyk, Trivy, Grype, Qualys, or Nessus.

Commands

1. prioritize — Risk-Rank Vulnerability List

#### Step 1: Parse Scanner Output

Accept input from common scanners:

# Trivy JSON output
trivy image --format json $IMAGE 2>/dev/null
Grype JSON output
grype $IMAGE -o json 2>/dev/null
npm audit
npm audit --json 2>/dev/null
pip-audit
pip-audit --format json 2>/dev/null

Extract for each vulnerability:

CVE ID

CVSS score (v3 preferred)

Affected package and version

Fixed version (if available)

Severity label

#### Step 2: Enrich with EPSS Data

# Fetch EPSS scores (Exploit Prediction Scoring System)
EPSS API: probability of exploitation in next 30 days
curl -s "https://api.first.org/data/v1/epss?cve=CVE-2024-1234,CVE-2024-5678" | \
  python3 -c "
import json, sys
data = json.load(sys.stdin)
for entry in data.get('data', []):
    cve = entry['cve']
    epss = float(entry['epss'])
    pctl = float(entry['percentile'])
    risk = 'CRITICAL' if epss > 0.5 else 'HIGH' if epss > 0.1 else 'MEDIUM' if epss > 0.01 else 'LOW'
    print(f'{cve}: EPSS={epss:.4f} (percentile {pctl:.2f}) — {risk} exploit likelihood')
"

#### Step 3: Check CISA KEV (Known Exploited Vulnerabilities)

# Download CISA KEV catalog
curl -s "https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json" | \
  python3 -c "
import json, sys
kev = json.load(sys.stdin)
kev_cves = {v['cveID'] for v in kev['vulnerabilities']}
Check your CVE list against KEV
target_cves = sys.argv[1].split(',') if len(sys.argv) > 1 else []
for cve in target_cves:
    if cve in kev_cves:
        print(f'🚨 {cve} is in CISA KEV — ACTIVELY EXPLOITED, patch immediately')
" "CVE-2024-1234,CVE-2024-5678"

#### Step 4: Assess Asset Criticality

Ask about or infer the asset context:

Internet-facing? Publicly reachable services get a 2× risk multiplier

Contains sensitive data? PII, credentials, financial data → 2× multiplier

Business criticality? Revenue-generating, auth, payment → 1.5× multiplier

Blast radius? Shared libraries, base images, common services → 1.5× multiplier

#### Step 5: Calculate Composite Risk Score

Risk Score = CVSS_normalized × EPSS_weight × asset_multiplier × exploit_maturity
Where:
CVSS_normalized = CVSS / 10 (0-1 range)
EPSS_weight = 1 + (EPSS × 10)  (EPSS 0.5 → 6× weight)
asset_multiplier = product of applicable multipliers
exploit_maturity:
  - In CISA KEV = 5.0
  - Public exploit (Metasploit, ExploitDB) = 3.0
  - PoC available = 2.0
  - Theoretical = 1.0

#### Step 6: Generate Prioritized Report

# Vulnerability Prioritization Report
Summary
Total vulnerabilities: 142
After prioritization: 12 critical, 23 high, 45 medium, 62 low
Remediation effort: ~3 days for critical+high
🚨 Critical Priority (patch within 24h)
| Rank | CVE | CVSS | EPSS | KEV | Package | Risk Score | Fix |
|------|-----|------|------|-----|---------|-----------|-----|
| 1 | CVE-2024-1234 | 9.8 | 0.87 | ✅ | openssl 3.0.1 | 48.2 | Upgrade to 3.0.15 |
| 2 | CVE-2024-5678 | 8.1 | 0.45 | ✅ | log4j 2.14.1 | 36.5 | Upgrade to 2.21.0 |
⚠️ High Priority (patch within 1 week)
...
De-prioritized (CVSS high but low real risk)
| CVE | CVSS | EPSS | Reason |
|-----|------|------|--------|
| CVE-2024-9999 | 9.1 | 0.001 | No known exploit, internal-only service, no sensitive data |

2. compare — Track Vulnerability Trends

Compare current scan results against a previous baseline:

New vulnerabilities since last scan

Vulnerabilities that were fixed

Vulnerabilities that got worse (new exploit published, added to KEV)

Mean time to remediate (MTTR) by severity

3. sla — Generate Remediation SLAs

Based on industry standards and the organization's risk tolerance:

Critical (KEV + EPSS > 0.5): 24 hours

High (EPSS > 0.1 or CVSS ≥ 9.0): 7 days

Medium (EPSS > 0.01 or CVSS ≥ 7.0): 30 days

Low: 90 days or next release cycle

Track SLA compliance and flag overdue items.

4. reachability — Analyze Exploit Reachability

For each vulnerability, determine if the vulnerable code path is actually reachable:

# Check if vulnerable function is called (example for npm)
Find which module has the CVE
npm ls --json 2>/dev/null | python3 -c "
import json, sys
tree = json.load(sys.stdin)
Walk dependency tree to find usage
"
Check import chain
rg "require\(['\"]vulnerable-package['\"]" --type js
rg "from ['\"]vulnerable-package['\"]" --type ts

Mark as reachable (fix urgently), transitively reachable (fix soon), or phantom (dependency exists but code path never executes — deprioritize).