kev
Safeguard articles tagged "kev" — guides, analysis, and best practices for software supply chain and application security.
21 articles
When CVSS Scoring Misleads Severity Context
Only 2-6% of published CVEs are ever exploited in the wild, yet a much larger share carry CVSS 7.0+ scores — a gap that quietly wrecks patch prioritization.
Vulnerability Prioritization FAQ: How to Decide What to Fix First
You can't fix everything at once. This FAQ explains how to prioritize vulnerabilities using severity, exploitation likelihood, active-exploitation evidence, and reachability.
NVD's enrichment backlog and how to build a multi-source vuln database strategy
NIST enriched 42,000 CVEs in 2025 — 45% more than any prior year — and still fell behind. On April 15, 2026, it stopped trying to enrich everything.
CVSS, EPSS, and KEV Explained: A Prioritization FAQ
CVSS measures severity, EPSS estimates exploitation likelihood, and CISA KEV lists what is actively exploited. Here is how the three differ and how to use them together.
GitLab Account Takeover via Password Reset (CVE-2023-7028) Explained
CVE-2023-7028 let attackers send GitLab password-reset links to an address they controlled — a zero-interaction account takeover scored 10.0. Here's the flaw and the fix.
CVSS scoring explained, and where severity scores go wrong
CVSS score explained through a real case where CVSS, EPSS, and KEV disagreed, showing why severity alone misleads prioritization decisions.
DHS/CISA Binding Operational Directives and supply chain cascade effects in 2026
BOD 22-01 (KEV) and BOD 23-02 (external attack surface) apply directly to federal civilian agencies, but their downstream contractual cascade into the software supply chain is now the more consequential effect.
CVSS vs EPSS vs KEV: A 2026 Prioritization Guide
How CVSS, EPSS, and CISA KEV combine into a defensible vulnerability prioritization model for 2026, with concrete thresholds and operational guidance.
State of CVE Disclosure and KEV in 2026
A senior-analyst view of CVE disclosure, KEV catalog growth, and the operational patterns that keep pace with them in 2026.
CVE Triage Is Broken. Here's a Better Workflow.
Most enterprise CVE queues are noise. KEV plus EPSS plus reachability plus policy-as-code cuts the real actionable list to a manageable few percent.
Vulnerability Intelligence Platform Buyer Guide 2026
A senior-engineer's buyer guide for vulnerability intelligence platforms in 2026: what to evaluate, how to test, and where most procurement processes go wrong.
KEV, EPSS, CVSS: Which Signal Should Drive Patching?
CVSS measures severity, EPSS predicts exploitation, KEV confirms active exploitation. Each answers a different question, and patching policy should use all three.