Scoring Methodology

How RiskScore Works

CVSS tells you how bad. RiskScore tells you if it's being exploited.

1What goes in

Every RiskScore is computed from three publicly available data sources. We don't use proprietary threat intelligence or vendor-specific data.

CVSS Base Score

Source: NVD / NIST

The Common Vulnerability Scoring System (CVSS) base score ranges from 0.0 to 10.0 and measures the intrinsic characteristics of a vulnerability — attack vector, complexity, privileges required, user interaction, and impact on confidentiality, integrity, and availability. It captures how bad a vulnerability could be under ideal attacker conditions, independent of any specific environment.

We use the CVSS v3.x base score when available, falling back to v2 for older CVEs. Environmental and temporal scores are not included — they require per-deployment context we don't have.

EPSS Probability

Source: FIRST.org

The Exploit Prediction Scoring System (EPSS) is a machine-learning model maintained by FIRST.org that estimates the probability a given CVE will be exploited in the wild within the next 30 days. Scores range from 0 to 1 (0%–100%). A CVE with EPSS 0.95 has a 95% predicted probability of active exploitation within 30 days.

EPSS scores are updated daily. New CVEs may not have an EPSS score for 24–72 hours after publication. When EPSS is absent, we treat it as 0 (no exploitation signal), which reduces the composite score and is noted explicitly in the API response.

CISA KEV Presence

Source: CISA

The CISA Known Exploited Vulnerabilities (KEV) catalog is a curated list of CVEs that have confirmed, active exploitation in the wild. CISA adds a CVE to KEV only after evidence of exploitation is observed — not based on theoretical risk. KEV membership is a binary signal: a CVE is either on it or it isn't.

KEV is the strongest single signal in our model. A CVE on the KEV list has been exploited by real attackers targeting real systems. We treat this as a hard boost to the composite score.

2What the 0–100 score means

The composite RiskScore is a weighted combination of the three inputs above, normalized to a 0–100 integer. A higher score means higher actual risk — not just higher theoretical severity.

The key distinction: CVSS alone cannot produce a score of 100 in our model. Reaching the top of the scale requires exploitation signal — either a high EPSS probability, KEV presence, or both. A CVSS 10.0 with no exploitation evidence will score significantly lower than a CVSS 7.5 that is actively on the KEV list.

Score rangeLabelWhat it means

90–100CRITICALActive exploitation confirmed. Patch immediately.

75–89HIGHStrong exploitation signal. Likely being exploited. Patch this sprint.

50–74MEDIUMModerate risk. Elevated CVSS or EPSS. Track and schedule.

25–49LOWLow exploitation likelihood. Known vuln but minimal attacker interest.

0–24MINIMALNegligible risk. Theoretical or very old vulnerability with no signal.

3How to use it for prioritization

RiskScore is designed to answer a specific question: of everything in my scanner output, what do I patch first? Use the score as a triage layer on top of your existing tooling.

Score > 75: Patch immediately

A score above 75 means exploitation is likely happening now or has happened. These CVEs are either on the CISA KEV list, have EPSS > 0.5, or both. Do not defer these. If this appears in your environment, it should trigger an incident response conversation.

Score 50–74: Schedule this sprint

Medium-range scores indicate genuine risk with some exploitation signal. These warrant a real patch window — not next quarter, not eventually. If your organization has a patch SLA, these should fit in the 15–30 day tier.

Score < 50: Track, don't panic

Low scores don't mean ignore — they mean deprioritize relative to higher-scored items. Monitor EPSS movement. If a CVE's score jumps, something changed in the wild.

Watching for movement

EPSS scores change daily as new exploitation evidence surfaces. A CVE that scores 30 today might score 85 next week if a proof-of-concept drops or attackers start scanning for it. Use the API with periodic polling or set up webhooks to catch these transitions.

4Known limitations

This section exists because we'd rather you know the gaps than discover them yourself during an incident.

NVD data lag (up to 24h)

We sync from the NVD API on a regular cadence. Newly published CVEs may not appear in RiskScore for up to 24 hours after NVD ingestion. CISA KEV and EPSS are also synced on similar schedules. Do not use RiskScore as a real-time CVE feed for newly disclosed vulnerabilities.

CVEs with no EPSS score

FIRST.org's EPSS model requires CVE data to generate predictions. Very new CVEs (published within the last 24–72 hours) may not have an EPSS score yet. For these, our model treats EPSS as 0, which suppresses the composite score below its true risk level. The API response explicitly flags when EPSS is missing.

CVSS is not exploitation evidence

CVSS measures theoretical severity — it says nothing about whether a vulnerability is being exploited in practice. A CVSS 10 CVE with no KEV presence and low EPSS has never been reliably exploited at scale. Our model accounts for this, but CVSS remains a significant input, so very high CVSS CVEs will score higher even with no exploitation signal.

Exact weights are not published

We do not publish the exact formula or weights. This is intentional — publishing exact weights creates an optimization target for adversarial actors and would not meaningfully improve most users' ability to prioritize. The methodology described here is sufficient to understand and defend the scoring approach.

No context about your environment

RiskScore is a global risk signal. It doesn't know whether you're running the affected software, what your network exposure is, or whether you have compensating controls. A score of 90 in a sandboxed dev environment is different from the same score in internet-facing production. Use RiskScore as a triage layer, not as a replacement for asset-context-aware vulnerability management.

Sync cadence

NVD, EPSS, and CISA KEV are all external sources we don't control. Our sync runs on a scheduled basis. The exact timing is not guaranteed and may slip during upstream API outages or rate limits. For time-sensitive decisions, always cross-reference with the primary source.

If you're presenting this to a CISO or security review board: RiskScore is a composite triage signal built from three authoritative public sources — NVD (CVSS), FIRST.org (EPSS), and CISA (KEV). Higher scores indicate higher probability of active exploitation, not just higher theoretical severity. The model is designed to reduce alert fatigue and surface the small percentage of CVEs that actually warrant urgent response.

CVSS specification →EPSS documentation →CISA KEV catalog →API documentation →