RiskBridge: Turning CVEs into Business-Aligned Patch Priorities
Yelena Mujibur Sheikh, Awez Akhtar Khatik, Luoxi Tang, Yuqiao Meng, Zhaohan Xi
TL;DR
RiskBridge is a comprehensive framework that enhances vulnerability prioritization by integrating multi-source intelligence, probabilistic modeling, and compliance considerations to improve remediation efficiency and reduce residual risk.
Contribution
It introduces a novel, explainable, and compliance-aware vulnerability management system that combines probabilistic exploit forecasting, regulatory policy translation, and risk optimization.
Findings
88% reduction in residual risk
18-day improvement in SLA compliance
35% increase in remediation efficiency
Abstract
Enterprises are confronted with an unprecedented escalation in cybersecurity vulnerabilities, with thousands of new CVEs disclosed each month. Conventional prioritization frameworks such as CVSS offer static severity metrics that fail to account for exploit probability, compliance urgency, and operational impact, resulting in inefficient and delayed remediation. This paper introduces RiskBridge, an explainable and compliance-aware vulnerability management framework that integrates multi-source intelligence from CVSS v4, EPSS, and CISA KEV to produce dynamic, business -- aligned patch priorities. RiskBridge employs a probabilistic Zero-Day Exposure Simulation (ZDES) model to forecast near-term exploit likelihood, a Policy-as-Code Engine to translate regulatory mandates (e.g., PCI DSS, NIST SP 800-53) into automated SLA logic, and an ROI-driven Optimizer to maximize cumulative risk…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsInformation and Cyber Security · Security and Verification in Computing · Network Security and Intrusion Detection