The CVE That Didn't Matter (And The One That Did)¶
CVE-2024-CRITICAL. Score 9.8. The security team sends the alert. All-hands emergency meeting scheduled.
Our response: scheduled for next sprint.
Why? Because CVSS 9.8 doesn't mean anything until you know the actual risk.
The Panic Cycle¶
Every critical CVE triggers the same cycle:
- Alert arrives. Severity is always "critical."
- Teams abandon sprint work. Everyone swarms the vulnerability.
- Emergency patches are built, tested in minutes, deployed without approval.
- Deployments break things. Rollbacks happen at 2am.
- Post-mortems ask why we panicked over something that couldn't touch us anyway.
The CVSS score becomes noise. Everything is treated as an existential threat. Real emergencies get lost in the volume.
The problem is simple: CVSS is not risk.
Two CVEs, One Response¶
Let me show you the difference.
CVE-2024-A: The High-Score False Alarm¶
| Aspect | Details |
|---|---|
| CVSS Score | 9.8 (Critical) |
| Vector | Network, Low Privilege, No User Interaction |
| Vulnerability | Remote code execution in library X |
| Your exposure | Library X is a transitive dependency of a dev-only tool |
| Attack surface | Requires attacker to control your CI logs |
| Blast radius | CI system only, isolated network, no production access |
| Time to fix | Update dev dependency (already on quarterly cycle) |
The score says critical. The reality says not a priority this sprint.
CVE-2024-B: The Medium-Score Real Emergency¶
| Aspect | Details |
|---|---|
| CVSS Score | 6.5 (Medium) |
| Vector | Local, requires authentication |
| Vulnerability | Container escape in runtime you use |
| Your exposure | Running production workloads in containers |
| Attack surface | Any container in your fleet is an entry point |
| Blast radius | Attacker gains host access, can reach database, secrets, customer data |
| Time to fix | Update runtime, roll out to all clusters, validate |
The score says medium. The reality says: this is an emergency. We own production infrastructure. An attacker getting host access is a data breach.
Why CVSS Gets It Wrong¶
CVSS measures technical exploitability. It doesn't measure:
- Exposure: Does the vulnerability even touch your systems?
- Enablement: What preconditions must exist for the exploit to work?
- Blast radius: If exploited, what data or systems are at risk?
- Detectability: Can your team see if someone is attacking this?
- Recoverability: If it happens, how fast can you respond?
Context Is Everything
A vulnerability scoring 9.8 but requiring physical access to your air-gapped network is lower risk than a 5.2 that compromises all your customer data. CVSS scores without context are noise.
The Framework That Changed Behavior¶
Instead of dropping everything for high scores, we built a risk framework:
Triage Asks¶
- Does this vulnerability affect any system we own?
- If exploited, what would an attacker gain access to?
- What preconditions must be true for the exploit to work?
- How likely is that to happen in our environment?
- How visible is an attack attempt?
Triage Produces a Risk Rating¶
| Exposure | Blast Radius | Time to Fix | Action |
|---|---|---|---|
| No exposure | N/A | N/A | Close it. Not our problem. |
| Exposed, high barriers | Low risk | 30+ days | Next release cycle. |
| Exposed, low barriers | Medium risk | 7 days | This sprint. |
| Exposed, low barriers | Customer data at risk | Any | Stop. Deploy hotfix now. |
The CVSS score informs the decision. It doesn't make it.
The Metrics¶
Six months after implementing the framework:
- Emergency patches dropped by 60% - Teams stopped responding to CVSS scores alone
- Actual patching speed improved - Real emergencies got faster response because they weren't buried in noise
- Developer sanity improved - Teams could plan work instead of reacting to alerts
- Security didn't suffer - Serious vulnerabilities got the attention they deserved
Smarter, Not Weaker
The framework didn't make security weaker. It made it smarter. Fewer false alarms meant real threats got the attention they deserved.
CVE-2024-CRITICAL Revisited¶
That CVSS 9.8 we got? The library was only in our build pipeline. The attack vector required controlling CI logs. We had air-gapped CI infrastructure, no production exposure, and a quarterly maintenance cycle already scheduled.
The framework said not urgent.
We patched it in the next regular update. No emergency meeting. No dropped work. No broken deployments at 2am.
Then CVE-2024-B showed up. Medium score. Local privilege escalation in our container runtime.
The framework said emergency.
We had a hotfix deployed to production within 4 hours.
Both decisions were correct. The framework made engineers think instead of panic.
The Real Lesson¶
CVSS is useful data. It's not a decision.
Risk prioritization is an engineering discipline. It requires:
- Understanding your architecture
- Knowing what data matters
- Measuring exposure honestly
- Planning for speed when it counts
Teams that automate this and turn risk triage into a process instead of a fire drill get two things:
- Fewer emergencies because false alarms don't distract from real ones
- Faster response when emergencies actually happen
The CVE that didn't matter taught your team to think. The one that did taught them to move fast.
For a detailed risk triage framework, see Risk Prioritization Framework.
The CVSS score was high. The risk was low. The framework made the difference.