Blog

Based on CVSS Score alone you cannot effectively prioritize issues without taking considerable risk. Other than the practically non-existent Low CVSS severity category all have numerous exploited vulnerabilities

Doing what sounds rasonable is great, but we have data. TL DR: most vulnerabilities that you must patch are in collaboration tools, CMSs, web frameworks, web servers, administrative and developer tools and security appliances. You should also set automatic updates for Windows.

So this one goes out to the young DevOps, shift left automation folk. I don’t think any of this is going to be new if you are an OG sysadmin and ever waited with dread for the next Patch Tuesday.