Difference between teams that manage vulns well and those that drown: triage, prioritisation, and a system.
Triage
Does this affect us? Is the vulnerable function reachable? Is the component exposed? Are there mitigating controls? Is there a known exploit?
Modern SCA tools show reachability. If vulnerable code path not reachable, downgrade priority.
Prioritisation
CVSS isn't enough. CVSS 9.8 in internal tool for 3 people < CVSS 6.5 in payment API.
| Factor | High | Medium | Low |
|---|---|---|---|
| Exploitability | Public exploit | PoC | Theoretical |
| Exposure | Internet-facing | Internal | Isolated |
| Impact | Customer data | Internal data | Cosmetic |
EPSS: Probability CVE exploited in next 30 days. CVSS 7.0 + EPSS 0.95 >> CVSS 9.0 + EPSS 0.01.
CISA KEV: On list = P1 regardless of CVSS.
Remediation
Upgrade: Preferred.
Mitigate: WAF rule, input validation, network policy. Document as temporary with deadline.
Accept: Valid when not reachable and controls mitigate. Document with reviewers, expiry date.
SLAs
| Priority | SLA |
|---|---|
| P1 | 24 hours |
| P2 | 7 days |
| P3 | 30 days |
| P4 | 90 days |
Track: MTTR, backlog age, SLA compliance, new vs fixed ratio.
Keep current
Most effective practice: keep dependencies up to date. Security patches same-day. Patch versions weekly. Minor bi-weekly.
The takeaway
Triage for reachability. Prioritise by exploitability + exposure + impact. Use EPSS and KEV. Define SLAs and track. Keep dependencies current.