Security Center displays severity scores for detected vulnerabilities to help you assess whether a vulnerability has a higher priority. This topic describes how to prioritize vulnerabilities.

Background information

Prioritizing vulnerabilities is essential to protect your Alibaba Cloud assets. If you have a large number of assets, you may not be able to assess which vulnerabilities need to be fixed first when a large number of vulnerabilities are detected. To solve this problem, Security Center has a scoring criterion to help you prioritize vulnerabilities.

The severity score

Calculation method

Severity score = CVSS score x Time score x Environment score x Asset importance score

The following table lists the descriptions of the parameters:
Parameter Description Remarks
CVSS Score The Common Vulnerability Scoring System (CVSS) score of the vulnerability. Valid values: 0 to 10. CVSS is used to assess the severity of vulnerabilities.
Time Score To complement the CVSS score, a dynamic time curve is formed by comprehending factors such as the time delay in the deployment of vulnerability mitigation and the popularization of vulnerability exploit methods. Valid values: 0 to 1. During the first three days when a vulnerability is publicized, due to increased exposure, the possibility that the vulnerability is exploited increases greatly. During this time, the value of this parameter increases from 0 to reach a temporary peak value, which is less than 1. After that, the value decreases greatly. Vulnerabilities become easier to exploit over time. The value of this parameter will increase and approach 1 within 100 days.
Environment Score The environment of your servers. To calculate the environment score, Security Center comprehends factors such as the conditions of exploiting the vulnerability and the status of your server. The environment score is vital to prioritizing a vulnerability.

Factors that determine the environment score include:

  • If your server is connected to the Internet:
    • If the vulnerability can be exploited remotely, the value is set to 1.5.
    • If the vulnerability can be exploited, the value is set to 1.2.
    • If the vulnerability can be exploited locally, the value is set to 1.
    • If the vulnerability can only be exploited in a complex cloud environment, by decreasing the weight of the environment score, Security Center dynamically adjusts weights based on the actual conditions of your server.
  • If your server is only connected to local area networks instead of the Internet:
    • If the vulnerability can be exploited remotely, by decreasing the weight of the environment score, Security Center dynamically adjusts weights based on the actual conditions of your server.
    • If the vulnerability can be exploited, the value is set to 1.2.
    • If the vulnerability can be exploited locally, the value is set to 1.
    • If the vulnerability can only be exploited in a complex cloud environment, by decreasing the weight of the environment score, Security Center dynamically adjusts weights based on the actual conditions of your server.
Asset Importance Score If you have a large number of servers, the system calculates asset importance scores for different servers or assets based on their importance in different scenarios. The asset importance score is one of the factors that determine the final severity score and helps you prioritize vulnerabilities. The default value is 1.

Vulnerability fix priorities

  • Critical: The severity score is between 13.5 and 15, which typically represents a high-risk vulnerability.
  • Important: The severity score is between 7.1 and 13.5, which typically represents a medium-risk vulnerability.
  • Moderate: The severity score is below 7, which typically represents a low-risk vulnerability.
Note
  • When the environment score cannot be calculated due to reasons such as unstable network connections, the fix suggestion is displayed as Moderate.
  • Emergency and Web-CMS vulnerabilities are high-risk vulnerabilities confirmed by Alibaba Cloud security engineers. We recommend that you fix these two types of vulnerabilities first.