Security Center displays the severity scores for detected vulnerabilities to help you prioritize vulnerabilities. This topic describes how to prioritize vulnerabilities.
Prioritizing vulnerabilities is essential to protect your Alibaba Cloud assets. If you have a large number of assets, you may not be able to assess which vulnerabilities need to be fixed first when a large number of vulnerabilities are detected. To solve this problem, Security Center provides a scoring criterion to help you prioritize vulnerabilities.
Severity score = CVSS score × Time score × Environment score × Asset importance score
|CVSS score||The Common Vulnerability Scoring System (CVSS) score of the vulnerability. Valid values: 0 to 10.||CVSS is used to assess the severity of a vulnerability.|
|Time score||To complement the CVSS score, a dynamic time curve is formed by comprehending factors such as the time delay in the deployment of vulnerability mitigation and the popularization of vulnerability exploit methods. Valid values: 0 to 1.||Within the first three days after a vulnerability is publicized, the possibility that the vulnerability is exploited increases greatly due to increased exposure. During this time, the value of this parameter increases from 0 to a temporary peak value, which is less than 1. After that, the value decreases greatly. Vulnerabilities become easier to exploit over time. The value of this parameter will increase and approach 1 within 100 days.|
|Environment score||The environment of your servers. To calculate the environment score, Security Center comprehends factors such as the conditions of exploiting the vulnerability and the status of your server. The environment score is vital to prioritizing a vulnerability.||
Factors that determine the environment score include:
|Asset importance score||If you have a large number of servers, the system calculates asset importance scores for different servers or assets based on their importance in different scenarios. The asset importance score is one of the factors that determine the final severity score. The asset importance score helps you prioritize vulnerabilities.||The default value is 1. On the Assets page, you can set specific assets as Important Assets, General Assets, and Test Assets. The asset importance scores that correspond to different asset types:
- Critical: The severity score is between 13.5 and 15, which typically represents a high-risk vulnerability.
- Important: The severity score is between 7.1 and 13.5, which typically represents a medium-risk vulnerability.
- Moderate: The severity score is below 7, which typically represents a low-risk vulnerability.
- When the environment score cannot be calculated due to reasons such as unstable network connections, the priority is Moderate.
- Emergency and web-CMS vulnerabilities are high-risk vulnerabilities confirmed by Alibaba Cloud security engineers. We recommend that you fix these two types of vulnerabilities first.