Vulnerability Remediation Priority Calculator
Calculate a weighted remediation priority score to help security teams triage and schedule vulnerability fixes based on severity, exploitability, asset value, and network exposure.
Formula
Raw Score = (CVSS ÷ 10) × 10 × Em × Am × Xm × Fage × Pm
Priority Score = min( Raw Score ÷ Max Raw Score × 100, 100 )
Age Urgency Factor Fage = 1 + min( log10(days + 1) ÷ log10(366), 1.0 )
Max Raw Score = 10 × 2.0 × 2.0 × 2.0 × 2.0 × 1.6 = 256
| Variable | Symbol | Range |
|---|---|---|
| CVSS Base Score | CVSS | 0.0 – 10.0 |
| Exploit Multiplier | Em | 1.0 – 2.0 |
| Asset Criticality | Am | 0.5 – 2.0 |
| Network Exposure | Xm | 0.5 – 2.0 |
| Age Urgency Factor | Fage | 1.0 – 2.0 |
| Patch Multiplier | Pm | 1.0 – 1.6 |
Priority Bands: ■ Critical (75–100) ■ High (50–74) ■ Medium (25–49) ■ Low (0–24)
Assumptions & References
- CVSS Base Score follows the CVSS v3.1 specification published by FIRST (Forum of Incident Response and Security Teams). Scores range from 0.0 (None) to 10.0 (Critical).
- Exploit multipliers are derived from the CVSS Temporal / Exploit Code Maturity metric and the CISA Known Exploited Vulnerabilities (KEV) Catalog weighting approach.
- Asset criticality and network exposure multipliers align with the NIST SP 800-30 Rev. 1 risk assessment framework for impact and likelihood weighting.
- The age urgency factor uses a logarithmic scale (base 10, normalised to 1 year = 365 days) so that urgency grows quickly in the first weeks and plateaus for very old vulnerabilities, reflecting real-world patching dynamics.
- The patch availability multiplier reflects the CVSS Remediation Level temporal metric: official fix < workaround < unavailable.
- Recommended SLA thresholds are consistent with PCI DSS 4.0 (critical: 1 day), NIST CSF, and common enterprise vulnerability management policies.
- This calculator provides a relative triage score and does not replace a full risk assessment. Scores should be reviewed alongside business context and threat intelligence.
- References: FIRST CVSS v3.1 Specification (https://www.first.org/cvss/), CISA KEV Catalog, NIST SP 800-30 Rev. 1, PCI DSS v4.0.