Security Contextual Risk Enumeration System(SCORES) is a simple and effective way of prioritizing vulnerabilities and misconfigurations alike.
Imagine you have ended up with thousands of issues identified while running vulnerability assessments and penetration testing tools on your IT infrastructure. Often remediating them is a daunting task. SCORES will help you prioritize these vulnerabilities using proven decision science algorithms. So each time you hear a new CVE (log4j, follina and others) don't panic. Keep calm and SCORE.
SCOREs is developed by Risk-Score. So far it has been used in 1000+ assessments and prioritizing 1000000+ vulnerabilities identified. It is used by Organizations in all verticals like IT, ITES, EdTech, FinTech, Pharma, Healthcare, IOT among many others.
Common Vulnerability Scoring System(CVSS) is predominantly static and does not consider your Organization's context and Asset's context on which vulnerabilities are identified. It is a vulnerability scoring system but not a risk scoring system. Mere existince of vulnerability is not a risk on its own. Often prioritizing of vulnerabilities involves lot of contextual parameters and making tough decisions. For example, A CVSSv3 score of 9.8 considered highly critical but found on a Windows Server that does have minimal customer data versus CVSSv3 score of 7 considered moderate severity but found on an Database server that contains most of your customer data. What if one CVE has a known exploit and other does not have? What if Windows Server is facing the Internet, where as Database server is behind a VPN ? Also, CVSS is not applicable for application security vulnerabilities and misconfigurations like OWASP Top Ten or CIS Benchmarks.
Exploit Prediction Scoring System(EPSS) is the latest standard by first.org predominantly to predict whether an exploit is likely to be developed in near future. It is only of many parameters that are needed to prioritize vulnerabilities.
SCORES is based on simple foundational principles that are widely accepted by risk community in general i.e risk is function of Likelihood of threat and impact. A risk score is computed for each vulnerability using numerous factors. High level overview is as given below:
You can learn more about the terminology, definitions and examples here.