From challenge to champion: Elevate your vulnerability management strategy

From challenge to champion: Elevate your vulnerability management strategy Beyond the base score: The art of smart prioritization Gaining clarity: A sharper focus on container security Beyond the patch: Building a culture of resilience Red Hat Product Security About the author Jeremy West More like this What’s new in post-quantum cryptography in RHEL 10.1 Introducing OpenShift Service Mesh 3.2 with Istio’s ambient mode Data Security And AI | Compiler Data Security 101 | Compiler Keep exploring Browse by channel Automation Artificial intelligence Open hybrid cloud Security Edge computing Infrastructure Applications Virtualization Share In the world of cybersecurity, vulnerability management is frequently a collaborative effort between vendors, software maintainers, and customers. It's a continuous journey of discovery, prioritization, and remediation that we embark on together. Each challenge that we face provides valuable opportunities to refine our strategies and strengthen our collective security posture. Based on our work with customers, we've identified a few common areas where we can all “level up” our vulnerability management game. Let's explore these patterns and recommendations. A common starting point for prioritizing vulnerabilities is the Common Vulnerability Scoring System (CVSS) base score, which is provided by vendors, vulnerability scanning applications and government databases like the US National Vulnerability Database (NVD). While this base score is a great upstream measure of intrinsic flaw characteristics, relying only on the base score in a downstream system can have teams looking for high-scoring vulnerabilities that pose little actual risk to their specific environment. Think of the CVSS base score as the manufacturer's suggested retail price (MSRP) of a car. It gives you a general idea of value, but it doesn't account for your specific needs, the car's mileage, or current market conditions. In 2024, 40,000 CVEs were published. Of those, only 4200 affected Red Hat products. If you compare the CVSS base scores of those 4200 CVEs, you’ll find that 35% had a Red Hat severity rating that was lower than a severity mapped 1 to 1 with the base CVSS score.