cvss
Safeguard articles tagged "cvss" — guides, analysis, and best practices for software supply chain and application security.
47 articles
What is CVSS (Common Vulnerability Scoring System)
CVSS scores rate vulnerability severity from 0.0 to 10.0 — but a 9.8 doesn't mean exploitable in your app. Here's how the math and priorities really work.
What is EPSS (Exploit Prediction Scoring System)
EPSS scores every CVE's real-world exploit probability. Here's how the FIRST.org model works, how it differs from CVSS, and how to use it to triage faster.
CVSS vs EPSS vs KEV: A 2026 Prioritization Guide
How CVSS, EPSS, and CISA KEV combine into a defensible vulnerability prioritization model for 2026, with concrete thresholds and operational guidance.
Prioritising CVE Patches With Reachability, Not CVSS Alone
CVSS by itself produces a queue ordered by hypothetical severity. Reachability orders by actual exposure. Mixing the two correctly is where mature programs land.
CVSS scoring
What is CVSS? A clear breakdown of the Common Vulnerability Scoring System, base vs temporal scores, CVSS v4 changes, and how to prioritize real risk.
KEV, EPSS, CVSS: Which Signal Should Drive Patching?
CVSS measures severity, EPSS predicts exploitation, KEV confirms active exploitation. Each answers a different question, and patching policy should use all three.
The End of CVSS-Only Prioritization
A single static severity score cannot tell you which vulnerability to fix first. Modern prioritization is a function of reachability, exploitability, and business context — and CVSS is only one input.
What is Risk-Based Vulnerability Prioritization
CVSS alone can't sort 40,000 CVEs a year. Learn how reachability, EPSS, and KEV data cut real risk from noise.
What is Risk Scoring
Vulnerability risk scoring ranks flaws by real exploitability and exposure, not just CVSS severity. Here's how it works and why it matters.
What is Vulnerability Triage
Vulnerability triage ranks scanner findings by real exploitability and exposure, not raw CVSS score, turning an unmanageable backlog into a short, defensible fix list.
CVSS 4.0 Scoring Adoption: What Changed
Two years after CVSS 4.0's release, adoption remains uneven. Here is where scoring really changed, where it did not, and how to handle mixed datasets.
What Is the NVD (National Vulnerability Database)?
The NVD is the U.S. government's enrichment layer on top of the CVE List, adding CVSS scores, CWE classifications, and affected-configuration data. Here is how it works and where it falls short.