Safeguard
Tag

cvss

Safeguard articles tagged "cvss" — guides, analysis, and best practices for software supply chain and application security.

47 articles

Vulnerability Analysis

What is CVSS (Common Vulnerability Scoring System)

CVSS scores rate vulnerability severity from 0.0 to 10.0 — but a 9.8 doesn't mean exploitable in your app. Here's how the math and priorities really work.

Apr 8, 20266 min read
Vulnerability Analysis

What is EPSS (Exploit Prediction Scoring System)

EPSS scores every CVE's real-world exploit probability. Here's how the FIRST.org model works, how it differs from CVSS, and how to use it to triage faster.

Apr 8, 20266 min read
Vulnerability Management

CVSS vs EPSS vs KEV: A 2026 Prioritization Guide

How CVSS, EPSS, and CISA KEV combine into a defensible vulnerability prioritization model for 2026, with concrete thresholds and operational guidance.

Apr 6, 20265 min read
Best Practices

Prioritising CVE Patches With Reachability, Not CVSS Alone

CVSS by itself produces a queue ordered by hypothetical severity. Reachability orders by actual exposure. Mixing the two correctly is where mature programs land.

Apr 4, 20263 min read
Vulnerability Management

CVSS scoring

What is CVSS? A clear breakdown of the Common Vulnerability Scoring System, base vs temporal scores, CVSS v4 changes, and how to prioritize real risk.

Feb 23, 20267 min read
Vulnerability Management

KEV, EPSS, CVSS: Which Signal Should Drive Patching?

CVSS measures severity, EPSS predicts exploitation, KEV confirms active exploitation. Each answers a different question, and patching policy should use all three.

Feb 20, 20267 min read
Industry Analysis

The End of CVSS-Only Prioritization

A single static severity score cannot tell you which vulnerability to fix first. Modern prioritization is a function of reachability, exploitability, and business context — and CVSS is only one input.

Feb 12, 20268 min read
Application Security

What is Risk-Based Vulnerability Prioritization

CVSS alone can't sort 40,000 CVEs a year. Learn how reachability, EPSS, and KEV data cut real risk from noise.

Feb 5, 20266 min read
Application Security

What is Risk Scoring

Vulnerability risk scoring ranks flaws by real exploitability and exposure, not just CVSS severity. Here's how it works and why it matters.

Feb 1, 20266 min read
Application Security

What is Vulnerability Triage

Vulnerability triage ranks scanner findings by real exploitability and exposure, not raw CVSS score, turning an unmanageable backlog into a short, defensible fix list.

Feb 1, 20267 min read
Vulnerability Management

CVSS 4.0 Scoring Adoption: What Changed

Two years after CVSS 4.0's release, adoption remains uneven. Here is where scoring really changed, where it did not, and how to handle mixed datasets.

Oct 10, 20254 min read
Concepts

What Is the NVD (National Vulnerability Database)?

The NVD is the U.S. government's enrichment layer on top of the CVE List, adding CVSS scores, CWE classifications, and affected-configuration data. Here is how it works and where it falls short.

Sep 30, 20256 min read
cvss (Page 3) — Safeguard Blog