I am working on a project to both clean up vulnerability technical debt and build a framework for our team to use when prioritising vulnerability remediation going forward.
To that end I am trying to build queries for remdiation projects that have what I believe are the essential criteria for determining risk/ prioritisation, however, I have found that the query builder just doesn’t seem to have all the right compoenents available for selection.
I would like to use the CVSS3 fields to do this but they are not available (as far as I can see). I had thought that perhaps, categories would cover it but I found that not to be the case.
As an example, I would like to set the below crietria as the highest priroty for remediation, but, attack vector and complexity are not available. I had tried using the category network and exploit rank of Novice but the result doesn’t seem to line up.
Attack Vector: Network
Attack Complexity: Low
Remote Code Execution: Yes
Publicly Exploited: Yes
MS Patch: No
Is this the right way to approach this or is there a better way? Perhaps I should just rate them based on the risk score (currently set at real risk). I would apprciate any thoughts or suggestions as to what foks in the community do.
Thanks,
Jamesy