Building a Vulnerability Management Program: CVE Tracking, Prioritization & Patching
On this page
The Vulnerability Flood
The number of reported vulnerabilities is growing exponentially, and the trend is accelerating:
| Year | New CVEs Published | Critical/High | Change |
|---|---|---|---|
| 2020 | 18,362 | 5,108 | — |
| 2021 | 20,174 | 5,891 | +10% |
| 2022 | 25,227 | 7,142 | +25% |
| 2023 | 28,961 | 8,314 | +15% |
| 2024 | 33,137 | 9,852 | +14% |
| 2025 (projected) | 38,000+ | 11,000+ | +15% |
Source: NIST NVD, CVE.org
The Hard Truth: You cannot patch every vulnerability. No organization has the resources to fix 33,000+ CVEs per year across their entire infrastructure. The answer is risk-based prioritization — focus on the vulnerabilities that matter most to your specific environment.
Risk-Based Prioritization
CVSS Is Not Enough
CVSS (Common Vulnerability Scoring System) scores measure theoretical severity, not real-world risk. A CVSS 9.8 vulnerability in a library you don't use is zero risk. A CVSS 6.5 vulnerability in your internet-facing authentication service is critical.
Factors for Real Risk Assessment:
| Factor | Question | Weight |
|---|---|---|
| CVSS Score | How severe is the vulnerability? | Medium |
| EPSS Score | What's the probability of exploitation? | High |
| CISA KEV | Is it actively exploited in the wild? | Very High |
| Asset Criticality | Is the affected system business-critical? | Very High |
| Exposure | Is it internet-facing or internal-only? | High |
| Compensating Controls | Are there mitigations in place? | Medium |
| Exploit Availability | Is there a public exploit? | High |
EPSS: Exploit Prediction Scoring System
EPSS predicts the probability that a vulnerability will be exploited in the wild within the next 30 days.
| EPSS Score | Interpretation | Action |
|---|---|---|
| > 0.7 (70%) | Very likely to be exploited | Patch within 24 hours |
| 0.3 - 0.7 | Moderate exploitation probability | Patch within 7 days |
| 0.1 - 0.3 | Low exploitation probability | Patch within 30 days |
| < 0.1 (10%) | Unlikely to be exploited | Patch in next maintenance cycle |
CISA KEV (Known Exploited Vulnerabilities Catalog)
CISA's KEV catalog lists vulnerabilities that are confirmed actively exploited in the wild. If a vulnerability is on this list, patch immediately.
Vulnerability Management SLAs
| Severity | Criteria | SLA | Escalation |
|---|---|---|---|
| P0: Emergency | CISA KEV + internet-facing OR active exploitation against you | 24 hours | Immediate exec notification |
| P1: Critical | CVSS ≥ 9.0 + exploitable + internet-facing | 72 hours | CISO notification |
| P2: High | CVSS 7.0-8.9 OR EPSS > 0.3 | 14 days | Team lead notification |
| P3: Medium | CVSS 4.0-6.9 AND low EPSS | 30 days | Sprint planning |
| P4: Low | CVSS < 4.0 AND no known exploit | 90 days | Backlog |
Vulnerability Scanning Strategy
| Scanner Type | Coverage | Frequency | Tools |
|---|---|---|---|
| Infrastructure | Servers, network devices, cloud resources | Weekly | Nessus, Qualys, Rapid7 |
| Application (DAST) | Web applications, APIs | Weekly on staging | OWASP ZAP, Burp Enterprise |
| Dependency (SCA) | Libraries, packages | Every build | Snyk, npm audit, Trivy |
| Container | Docker images, registries | Every build + daily registry scan | Trivy, Grype, Anchore |
| Cloud | AWS/Azure/GCP misconfigurations | Continuous | Prowler, ScoutSuite, Wiz |
| IaC | Terraform, K8s manifests | Every PR | Checkov, tfsec |
Automated Patching
What Should Be Auto-Patched?
| Category | Auto-Patch? | Rationale |
|---|---|---|
| OS security updates | Yes (non-breaking) | Well-tested, low risk |
| Minor dependency updates | Yes (with tests) | Semver minor = backward compatible |
| Critical CVE patches | Yes (with rollback) | Speed > caution for active exploits |
| Major version upgrades | No (manual review) | Breaking changes likely |
| Custom application patches | No (manual) | Requires code review and testing |
Automated Patching Pipeline
# Dependabot configuration for automated updates
# .github/dependabot.yml
version: 2
updates:
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "daily"
open-pull-requests-limit: 10
labels:
- "dependencies"
- "automated"
# Auto-merge minor and patch updates
# Major updates require manual review
Metrics and Reporting
| KPI | Target | Formula |
|---|---|---|
| Mean Time to Remediate (Critical) | < 72 hours | Avg time from discovery to fix |
| SLA compliance rate | > 95% | Vulns fixed within SLA / total vulns |
| Vulnerability density | Decreasing trend | Open vulns / total assets |
| Scan coverage | > 99% | Scanned assets / total assets |
| Age of oldest unpatched critical | < 14 days | Calendar days since discovery |
| False positive rate | < 10% | False positives / total findings |
Further Reading
- CISA KEV Catalog — Actively exploited vulnerabilities
- FIRST EPSS — Exploit prediction scores
- NIST NVD — National Vulnerability Database
- Shift-Left Security — Catching vulnerabilities earlier
- SAST vs DAST vs SCA — Security testing tool comparison
Published by SecureCodeReviews
This article is part of our original AI security and cybersecurity content library. We show publish and update dates, keep company and policy pages public, and update important guidance when material changes affect readers.
Want an expert review before this issue reaches production?
We combine manual code review with AppSec tooling to find vulnerabilities, logic flaws, and insecure patterns before release or audit deadlines.
Advertisement
Free Security Tools
Try our tools now
Expert Services
Get professional help
OWASP Top 10
Learn the top risks
Related Articles
Axios Supply Chain Vulnerabilities: SSRF, DoS & Credential Leakage — A Complete Security Analysis
Deep-dive into the recent wave of critical Axios vulnerabilities (CVE-2025-27152, CVE-2025-58754, CVE-2025-54371, CVE-2026-25639) affecting 200,000+ projects. Covers SSRF via absolute URLs, denial of service via data: URIs and prototype key abuse, predictable multipart boundaries, and actionable remediation steps.
Vulnerability Assessment vs Penetration Testing: Differences, Use Cases, and When to Buy Which
A practical decision guide for choosing between vulnerability assessments and penetration testing. Explains what each engagement is for, where each one falls short, and how to combine both for an effective application and cloud security program.