Josh Jacobson
Director of Professional Services
Vulnerability Management

Vulnerability Prioritization: Severity Does Not Mean Priority

A security team prioritizing vulnerability management

By Josh Jacobson, Director of Professional Services
Michiel Prins, Co-founder & Senior Product Director

With a lengthy backlog of vulnerability data, it is all too easy to miss the forest for the trees and be hampered by analysis paralysis. As such, a data-informed prioritization strategy is integral to ensuring remediation efforts are practical.

Automated scanners and tools are noisy; they do not know your business and can’t extrapolate context to truly understand validity and impact. Severity ratings are inflated guesses, and volume is bloated. This misalignment issue leaves security leaders with tools whose sole purpose seems to be to chirp at you constantly.

This industry-caused problem of alert fatigue is not without consequences. All too often, we observe flawed relationships between developers and security teams. Noisy scanner output and carelessly filtered pentest reports have become “The Boy Who Cried Wolf,” and engineers have simply learned to ignore tickets because they’re inaccurate. A broken security culture sets a dangerous precedent for an organization’s capacity to respond quickly to a threat when push comes to shove. Conscious AppSec teams take on the burden of filtering the alerts firehose to spare developer frustration. While it works, it’s an inefficient use of rare security engineering and AppSec talent.

A better approach is needed. In this post, we will discuss how you can harness the power of hackers to get more value and action out of your vulnerability data.

Discoverability: Hacker Findings Correlation

Vulnerability prioritization in a warehouse
Image generated with DALL-E 3

Let’s face it: the remediation backlog is larger than the capacity to remediate. Automated tools, like Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST), add new alerts to the pile daily, often disregarding validity. A great place to start and get a grip on the backlog is to run a correlation exercise. 

Hacker findings from your Vulnerability Disclosure Program (VDP) or bug bounty program (BBP) come with a powerful data attribute: the vulnerability was discovered externally by someone outside your organization. A hacker! Vulnerabilities identified by someone from the outside hold more water than the unsubstantiated claim of an automated scanning tool alone. This additional dimension of discoverability enables you to reorganize the backlog by what’s externally discoverable and exploitable. 

Keep the correlation exercise simple at first. Correlate between readily available attributes such as asset and Common Weakness Enumeration (CWE) type. Combining the evidence of a correlation with Common Vulnerability Scoring System (CVSS) forms an excellent starting point to turn the backlog into a prioritized roadmap. As you make headway over time, you can focus on more nuanced correlations such as endpoints, paths, parameters, payload, etc. 

Business Impact: Let Hackers Tell You

To really whittle down the backlog, you need to have a clear understanding of the business impact of each vulnerability so you can prioritize those with the potential to cause devastating effects. The CVSS severity rating of a vulnerability by itself doesn’t capture the individual importance to your business. Your unique business environment, such as the threat model, data privacy commitments, and regulations, can significantly modify the impact of a particular finding.

The best way to add the missing dimension of business impact is to let the hackers tell you. Import known vulnerabilities from SAST or DAST tools into your program and ask hackers to try and exploit them. If they succeed, they get paid a bounty. This solves the misalignment issue with automated tooling: hackers are financially incentivized to always optimize for the highest possible business impact. Hackers use their creativity to find novel ways to demonstrate meaningful business impact. Time and time again, we have seen hackers take something seemingly benign and turn it into a “page the team now!” level bug.

Through this exercise, you learn quickly which vulnerabilities are exploitable from the outside and their true business impact. With that new information, you can confidently prioritize your remediation resources towards the most exploitable, highest-impact bugs. It also gives peace of mind that deprioritizing other alerts doesn’t leave your organization massively exposed. 

Likelihood of Exploitation

Vulnerability prioritization
Image generated with DALL-E 3

Even if you know there is a vulnerability that is valid and exploitable from the outside, there’s still the remaining question: how likely is it that this vulnerability will be exploited? This issue is especially prevalent when prioritizing Common Vulnerabilities and Exposures (CVEs). Many CVEs never get exploited in the wild, let alone weaponized on a large scale. Understanding the likelihood of in-the-wild exploitation is a powerful tool in the remediation process. 

HackerOne’s Hacktivity offers two helpful data attributes that represent the likelihood of a particular CVE’s exploitation risk. The first is that within CVE Discovery, you can look up trending CVEs and observe how often they are reported on the HackerOne platform. The second is to combine this with the Exploit Prediction Scoring System (EPSS) rating of the CVE. EPSS, leveraging a predictive model, provides a live measure of exploitability for each CVE. An EPSS score estimates the probability of observing in-the-wild exploitation attempts against that vulnerability in the next 30 days. Both of these bring together another excellent source of context to factor into your vulnerability backlog prioritization efforts.

Planning Next Steps

The beauty of these three approaches is that you don’t have to begin with all three simultaneously. You can stack them over time as you demonstrate progress. You can start with a simple hacker findings correlation and see how far you get. Once you run out of mileage, tap your network of hackers and build business impact into your prioritization model. Finally, top it off with exploitability likelihood as a tertiary input. 

Once you execute an effective and risk-informed prioritization strategy, you’ll soon start earning time back. This opens up opportunities to invest resources into proactive security measures. These are invaluable initiatives that prevent future backlog buildups and reduce security risk more holistically. In a future blog, we will explore ways to become more proactive in your remediation work. 

If you’re interested in running a correlation exercise or need help building business impact into your prioritization model through Security Advisory Services, contact our experts today or reach out to your HackerOne Customer Success Manager.