Vulnerability Management Chaining: An Integrated Framework for Efficient Cybersecurity Risk Prioritization
Naoyuki Shimizu, Masaki Hashimoto
TL;DR
This paper introduces Vulnerability Management Chaining, a framework that combines KEV, EPSS, and CVSS to improve vulnerability prioritization efficiency and coverage, significantly reducing remediation workload using open-source data.
Contribution
The paper presents a novel decision tree framework that systematically integrates KEV, EPSS, and CVSS for more effective vulnerability prioritization.
Findings
18-fold efficiency improvement in vulnerability management
85.6% coverage of exploited vulnerabilities
95% reduction in urgent remediation workload
Abstract
As the number of Common Vulnerabilities and Exposures (CVE) continues to grow exponentially, security teams face increasingly difficult decisions about prioritization. Current approaches using Common Vulnerability Scoring System (CVSS) scores produce overwhelming volumes of high-priority vulnerabilities, while Exploit Prediction Scoring System (EPSS) and Known Exploited Vulnerabilities (KEV) catalog offer valuable but incomplete perspectives on actual exploitation risk. We present Vulnerability Management Chaining, a decision tree framework that systematically integrates these three approaches to achieve efficient vulnerability prioritization. Our framework employs a two-stage evaluation process: first applying threat-based filtering using KEV membership or EPSS threshold 0.088), then applying vulnerability severity assessment using CVSS scores 7.0) to enable informed…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.