Safeguard
Tag

kev

Safeguard articles tagged "kev" — guides, analysis, and best practices for software supply chain and application security.

21 articles

Vulnerability Management

When CVSS Scoring Misleads Severity Context

Only 2-6% of published CVEs are ever exploited in the wild, yet a much larger share carry CVSS 7.0+ scores — a gap that quietly wrecks patch prioritization.

Jul 16, 20267 min read
FAQ

Vulnerability Prioritization FAQ: How to Decide What to Fix First

You can't fix everything at once. This FAQ explains how to prioritize vulnerabilities using severity, exploitation likelihood, active-exploitation evidence, and reachability.

Jul 8, 20266 min read
Vulnerability Management

NVD's enrichment backlog and how to build a multi-source vuln database strategy

NIST enriched 42,000 CVEs in 2025 — 45% more than any prior year — and still fell behind. On April 15, 2026, it stopped trying to enrich everything.

Jul 8, 20266 min read
FAQ

CVSS, EPSS, and KEV Explained: A Prioritization FAQ

CVSS measures severity, EPSS estimates exploitation likelihood, and CISA KEV lists what is actively exploited. Here is how the three differ and how to use them together.

Jul 7, 20266 min read
Vulnerability Analysis

GitLab Account Takeover via Password Reset (CVE-2023-7028) Explained

CVE-2023-7028 let attackers send GitLab password-reset links to an address they controlled — a zero-interaction account takeover scored 10.0. Here's the flaw and the fix.

Jul 5, 20265 min read
Vulnerability Management

CVSS scoring explained, and where severity scores go wrong

CVSS score explained through a real case where CVSS, EPSS, and KEV disagreed, showing why severity alone misleads prioritization decisions.

May 27, 20268 min read
Compliance

DHS/CISA Binding Operational Directives and supply chain cascade effects in 2026

BOD 22-01 (KEV) and BOD 23-02 (external attack surface) apply directly to federal civilian agencies, but their downstream contractual cascade into the software supply chain is now the more consequential effect.

May 13, 20268 min read
Vulnerability Management

CVSS vs EPSS vs KEV: A 2026 Prioritization Guide

How CVSS, EPSS, and CISA KEV combine into a defensible vulnerability prioritization model for 2026, with concrete thresholds and operational guidance.

Apr 6, 20265 min read
Industry Analysis

State of CVE Disclosure and KEV in 2026

A senior-analyst view of CVE disclosure, KEV catalog growth, and the operational patterns that keep pace with them in 2026.

Mar 18, 20269 min read
Vulnerability Management

CVE Triage Is Broken. Here's a Better Workflow.

Most enterprise CVE queues are noise. KEV plus EPSS plus reachability plus policy-as-code cuts the real actionable list to a manageable few percent.

Mar 12, 20267 min read
Vulnerability Management

Vulnerability Intelligence Platform Buyer Guide 2026

A senior-engineer's buyer guide for vulnerability intelligence platforms in 2026: what to evaluate, how to test, and where most procurement processes go wrong.

Mar 11, 20265 min read
Vulnerability Management

KEV, EPSS, CVSS: Which Signal Should Drive Patching?

CVSS measures severity, EPSS predicts exploitation, KEV confirms active exploitation. Each answers a different question, and patching policy should use all three.

Feb 20, 20267 min read
kev — Safeguard Blog