cvss
Safeguard articles tagged "cvss" — guides, analysis, and best practices for software supply chain and application security.
47 articles
Understanding CVSS Scores
CVSS turns a vulnerability's characteristics into a number from 0 to 10 and a severity label. Here is what the score actually measures, how the metrics combine, and why the number alone should never drive your patching.
How to Read a CVE: A Beginner's Guide
A plain-language walkthrough of what a CVE record contains and how to read one — the ID, description, CVSS score, CWE, affected versions, and whether a fix exists.
Understanding CVSS scoring for vulnerabilities
CVSS scores run 0-10, but a 9.8 doesn't always mean patch tonight. Here's how base scores are calculated and why context beats the number.
CVE explained: how vulnerabilities get identified and scored
A CVE ID and its CVSS score come from different organizations entirely. Here's how identification and severity scoring actually work, using Log4Shell and the 2024 NVD backlog as examples.
CVE scoring inconsistencies across vulnerability databases
Why the same CVE can carry three different severity scores across NVD, GitHub, and vendor advisories — and how to prioritize anyway.
The NVD backlog and its impact on vulnerability management
The NVD backlog leaves thousands of CVEs unscored each month, forcing security teams to rethink how they prioritize and triage vulnerabilities.
Vulnerability prioritization: moving beyond CVSS scores
CVSS scores flood teams with thousands of "Critical" findings, but fewer than 5% of CVEs are ever exploited. Here's how reachability and exploit data fix triage.
Reachability Analysis vs EPSS vs CVSS: Prioritization Showdown
CVSS scores severity, EPSS predicts exploitation, reachability proves applicability. A spec-level comparison of the three signals — and the order to apply them.
What is a Vulnerability Assessment
A vulnerability assessment finds and ranks security weaknesses at scale — here's how it differs from a pentest, its five-step process, and reporting essentials.
What is an Application Vulnerability
A flaw in code, config, or a dependency that attackers can exploit. Learn the types, scoring, and how vulnerabilities differ from risk and threats.
What is a CVE (Common Vulnerabilities and Exposures)
A CVE is a unique ID for a known security flaw, but how it's assigned, scored, and disclosed is far messier than the name suggests.
Why EPSS scores matter for vulnerability management
EPSS scores predict real-world exploitation probability, something CVSS can't do. Here's why that matters for Prisma Cloud users, and how Safeguard uses it.