The prioritization of vulnerability fixes is essential to cloud asset protection. If you have a large number of assets, Security Center may discover thousands of vulnerabilities on your assets. Such a large number means it is difficult to prioritize the vulnerabilities. To resolve this issue, Security Center provides a set of prioritization standards for you to prioritize these vulnerabilities.

Vulnerability severity score

Security Center uses vulnerability severity scores to prioritize Linux software vulnerabilities and Windows vulnerabilities. Vulnerability fix priorities calculated based on vulnerability severity scores include Urgent, Less urgent, and Not urgent.
Note Emergency vulnerabilities and web content management system (WCMS) vulnerabilities are critical vulnerabilities confirmed by Alibaba Cloud security engineers, which must be fixed immediately.

Vulnerability severity scores can be calculated by using the following formula:

Vulnerability Severity Score = Vulnerability CVSS Base Score x Temporal Score x Environmental Score x Asset Importance Score

The descriptions for these scores are as follows:
  • Vulnerability CVSS Base Score: Specifies the CVSS2/3 base score of the vulnerability, in the range of 0 to 10.
  • Temporal Score: A temporal score is derived from multiple metrics in the range of 0 to 1. These metrics include the vulnerability exploit maturity and remediation latency.

    In the first three days of the revealing of the vulnerability, the probability of the vulnerability being exploited greatly increases as the public awareness of the vulnerability increases. The temporal score raises from 0 to reach a peak value that is smaller than 1, and then drops quickly. However, as the time passes, the vulnerability becomes more likely to be exploited based on the rapid development of exploit techniques. The temporal score then gradually increases and approaches 1 within 100 days.

  • Environmental Score: Your actual environment is essential to vulnerability prioritization. An environmental score is measured based on your server and the exploitability of the corresponding vulnerability.

    The following environmental factors are currently used to calculate an environmental score:

    • Your server receives traffic from the public network:
      • If the vulnerability can be remotely exploited, the environmental score is 1.5.
      • If the vulnerability can be exploited by attackers in a neighboring network, the environmental score is 1.2.
      • If the vulnerability can be locally exploited, the environmental score is 1.
      • If the vulnerability can only be exploited in a complex environment that cannot be recreated in the cloud, the environmental score greatly decreases.
    • Your server receives traffic only from VPCs:
      • If the vulnerability can be remotely exploited, the environmental score greatly decreases. In this case, the environmental score is set to 0.
      • If the vulnerability can be exploited by attackers in a neighboring network, the environmental score is 1.2.
      • If the vulnerability can be locally exploited, the environmental score is 1.
      • If the vulnerability can only be exploited in a complex environment that cannot be recreated in the cloud, the environmental score greatly decreases.
  • Asset Importance Score: Asset importance scores are assigned to servers or assets based on scenarios when large amounts of servers or assets exist.
    Note The default asset importance score is 1.

It takes 48 hours for Security Center to calculate a vulnerability severity score from the time that the vulnerability was detected by Security Center.

Note
  • When a vulnerability is identified, the corresponding authority may have not yet assigned a CVSS base score to the vulnerability. Security Center will provide the vulnerability severity score 48 hours after the authority has posted the CVSS base score.
  • Network malfunctions, such as Security Center agent offline issues, may cause environmental score calculation failures. In this case, the vulnerability severity score is available in 48 hours after your network has recovered.

Vulnerability fix priorities

  • Urgent: The recommended vulnerability severity score is in the range of 13.5 to 15.
  • Less urgent: The recommended vulnerability severity score is in the range of 7.1 to 13.5.
  • Not urgent: The recommended vulnerability severity score is smaller than 7.

Vulnerability fix priorities in special scenarios

  • Security Center weights the priority of a vulnerability that has just been detected based on the environment of your server. This process takes 48 hours. During this process, the priority of the vulnerability is measured based on the severity of the vulnerability as follows:
    • If the severity of the vulnerability is critical, the priority is Urgent.
    • If the severity of the vulnerability is high or medium, its priority is Less urgent.
    • If the severity of the vulnerability is low, its priority is Not urgent.
  • If the environmental score of a vulnerability cannot be measured due to network convergence, the priority of the vulnerability is set to Not urgent.