Security Center displays the severity scores for detected vulnerabilities to help you prioritize vulnerabilities. This topic describes how to prioritize vulnerabilities.

Background information

Prioritizing vulnerabilities is essential to protect your Alibaba Cloud assets. If you have a large number of assets, you may not be able to assess which vulnerabilities need to be fixed first when a large number of vulnerabilities are detected. To solve this problem, Security Center provides a scoring criterion to help you prioritize vulnerabilities.

The severity score

Calculation method

Severity score = CVSS score × Time score × Environment score × Asset importance score

The following table describes the parameters
Parameter Description Remark
CVSS score The Common Vulnerability Scoring System (CVSS) score of the vulnerability. Valid values: 0 to 10. CVSS is used to assess the severity of a vulnerability.
Time score To complement the CVSS score, a dynamic time curve is formed by comprehending factors such as the time delay in the deployment of vulnerability mitigation and the popularization of vulnerability exploit methods. Valid values: 0 to 1. Within the first three days after a vulnerability is publicized, the possibility that the vulnerability is exploited increases greatly due to increased exposure. During this time, the value of this parameter increases from 0 to a temporary peak value, which is less than 1. After that, the value decreases greatly. Vulnerabilities become easier to exploit over time. The value of this parameter will increase and approach 1 within 100 days.
Environment score The environment of your servers. To calculate the environment score, Security Center comprehends factors such as the conditions of exploiting the vulnerability and the status of your server. The environment score is vital to prioritizing a vulnerability.

Factors that determine the environment score include:

  • If your server is connected to the Internet:
    • If the vulnerability can be exploited remotely, the value is set to 1.5.
    • If the vulnerability can be exploited, the value is set to 1.2.
    • If the vulnerability can be exploited locally, the value is set to 1.
    • If the vulnerability can only be exploited in a complex cloud environment, by decreasing the weight of the environment score, Security Center dynamically adjusts weights based on the actual conditions of your server.
  • If your server is connected to internal networks instead of the Internet:
    • If the vulnerability can be exploited remotely, by decreasing the weight of the environment score, Security Center dynamically adjusts weights based on the actual conditions of your server.
    • If the vulnerability can be exploited, the value is set to 1.2.
    • If the vulnerability can be exploited locally, the value is set to 1.
    • If the vulnerability can only be exploited in a complex cloud environment, by decreasing the weight of the environment score, Security Center dynamically adjusts weights based on the actual conditions of your server.
Asset importance score If you have a large number of servers, the system calculates asset importance scores for different servers or assets based on their importance in different scenarios. The asset importance score is one of the factors that determine the final severity score. The asset importance score helps you prioritize vulnerabilities. The default value is 1. On the Assets page, you can set specific assets as Important Assets, General Assets, and Test Assets. The asset importance scores that correspond to different asset types:
  • Important Assets: 1.5
  • General Assets: 1
  • Test Assets: 0.5

Vulnerability priorities

  • Critical: The severity score is between 13.5 and 15, which typically represents a high-risk vulnerability.
  • Important: The severity score is between 7.1 and 13.5, which typically represents a medium-risk vulnerability.
  • Moderate: The severity score is below 7, which typically represents a low-risk vulnerability.
Note
  • When the environment score cannot be calculated due to reasons such as unstable network connections, the priority is Moderate.
  • Emergency and web-CMS vulnerabilities are high-risk vulnerabilities confirmed by Alibaba Cloud security engineers. We recommend that you fix these two types of vulnerabilities first.