Vulnerability Remediation Priority Calculator

ANA›Life Services Authority›National Calculator Authority›Vulnerability Remediation Priority Calculator

.calc-container { max-width: 640px; margin: 2rem 0; padding: 1.5rem; background: #fff; border: 1px solid #ddd; border-radius: 8px; box-shadow: 0 1px 3px rgba(0,0,0,0.06); font-family: system-ui, -apple-system, sans-serif; } .calc-container h3 { font-family: Georgia, serif; font-size: 1.15rem; color: #1a1a1a; margin-bottom: 1rem; padding-bottom: 0.5rem; border-bottom: 2px solid var(--ac, #3d5a80); } .calc-row { display: flex; align-items: center; gap: 0.75rem; margin-bottom: 0.75rem; flex-wrap: wrap; } .calc-row label { min-width: 160px; font-size: 0.9rem; color: #333; font-weight: 500; } .calc-row input[type="number"], .calc-row select { flex: 1; min-width: 120px; max-width: 200px; padding: 0.5rem 0.6rem; border: 1px solid #ccc; border-radius: 4px; font-size: 0.9rem; font-family: system-ui, sans-serif; color: #1a1a1a; background: #fafaf8; } .calc-row input:focus, .calc-row select:focus { outline: none; border-color: var(--ac, #3d5a80); box-shadow: 0 0 0 2px rgba(26,74,138,0.12); } .calc-row .unit { font-size: 0.82rem; color: #888; min-width: 30px; } .calc-btn { display: inline-block; margin-top: 0.5rem; padding: 0.55rem 1.5rem; background: var(--ac, #3d5a80); color: #fff; border: none; border-radius: 4px; font-size: 0.9rem; font-weight: 600; cursor: pointer; font-family: system-ui, sans-serif; } .calc-btn:hover { opacity: 0.9; } .calc-result { margin-top: 1.25rem; padding: 1rem 1.25rem; background: #f0f6fc; border-left: 3px solid var(--ac, #3d5a80); border-radius: 0 6px 6px 0; display: none; } .calc-result.visible { display: block; } .calc-result-label { font-size: 0.78rem; text-transform: uppercase; letter-spacing: 0.06em; color: #666; margin-bottom: 0.25rem; } .calc-result-value { font-size: 1.6rem; font-weight: 700; color: var(--ac, #3d5a80); } .calc-result-detail { font-size: 0.85rem; color: #555; margin-top: 0.5rem; line-height: 1.5; } .calc-note { margin-top: 1rem; font-size: 0.8rem; color: #888; font-style: italic; } .calc-grid { display: grid; grid-template-columns: 1fr 1fr; gap: 0.75rem; margin-top: 0.75rem; } .calc-grid-item { padding: 0.6rem 0.8rem; background: #f8f9fa; border-radius: 4px; border: 1px solid #eee; } .calc-grid-item .label { font-size: 0.75rem; color: #888; text-transform: uppercase; letter-spacing: 0.04em; } .calc-grid-item .value { font-size: 1.1rem; font-weight: 600; color: #1a1a1a; } @media (max-width: 720px) { .calc-row { flex-direction: column; align-items: flex-start; gap: 0.3rem; } .calc-row label { min-width: auto; } .calc-row input[type="number"], .calc-row select { max-width: 100%; width: 100%; } .calc-grid { grid-template-columns: 1fr; } } .calc-chart { margin: 1rem 0; text-align: center; } .calc-chart svg { max-width: 100%; height: auto; } .calc-chart-legend { display: flex; flex-wrap: wrap; justify-content: center; gap: 0.6rem 1.2rem; margin-top: 0.6rem; font-size: 0.8rem; color: #555; } .calc-chart-legend span { display: inline-flex; align-items: center; gap: 0.3rem; } .calc-chart-legend i { display: inline-block; width: 10px; height: 10px; border-radius: 2px; font-style: normal; } .calc-related { max-width: 640px; margin: 2rem 0 1rem; padding: 1.25rem 1.5rem; background: #f8f9fa; border: 1px solid #e8e8e8; border-radius: 8px; } .calc-related h3 { font-family: Georgia, serif; font-size: 1rem; color: #1a1a1a; margin: 0 0 0.75rem; padding-bottom: 0.4rem; border-bottom: 2px solid var(--ac, #3d5a80); } .calc-related-list { list-style: none; padding: 0; margin: 0 0 0.75rem; display: grid; grid-template-columns: 1fr 1fr; gap: 0.4rem 1.5rem; } .calc-related-list li a { font-size: 0.88rem; color: var(--ac, #3d5a80); text-decoration: none; } .calc-related-list li a:hover { text-decoration: underline; } .calc-browse-all { margin: 0.5rem 0 0; font-size: 0.9rem; font-weight: 600; } .calc-browse-all a { color: var(--ac, #3d5a80); text-decoration: none; } .calc-browse-all a:hover { text-decoration: underline; } @media (max-width: 720px) { .calc-related-list { grid-template-columns: 1fr; } }

Vulnerability Remediation Priority Calculator

Calculate a weighted remediation priority score to help security teams triage and schedule vulnerability fixes based on severity, exploitability, asset value, and network exposure.

CVSS Base Score (0.0 – 10.0)

Exploit Availability

No known exploit (1.0) Proof-of-concept exists (1.2) Exploit publicly available (1.5) Actively exploited in the wild (2.0)

Asset Criticality

Low – internal dev/test system (0.5) Medium – standard business system (1.0) High – customer-facing or sensitive data (1.5) Critical – core infrastructure / production (2.0)

Network Exposure

Isolated / air-gapped (0.5) Internal network only (1.0) Internal + VPN accessible (1.5) Internet-facing / public (2.0)

Days Since Vulnerability Disclosed

Patch / Fix Available?

Yes – patch available (1.0) Workaround only (1.3) No fix available (1.6)

Calculate Priority Score

function vulCalc() { // --- Read inputs --- var cvss = parseFloat(document.getElementById('vul-cvss').value); var exploit = parseFloat(document.getElementById('vul-exploit').value); var asset = parseFloat(document.getElementById('vul-asset').value); var exposure = parseFloat(document.getElementById('vul-exposure').value); var age = parseFloat(document.getElementById('vul-age').value); var patch = parseFloat(document.getElementById('vul-patch').value);

// --- Validation --- var errors = []; if (isNaN(cvss) || cvss 10) errors.push("CVSS Base Score must be between 0.0 and 10.0."); if (isNaN(age) || age 3650) errors.push("Days since disclosure must be between 0 and 3650.");

var resultDiv = document.getElementById('vul-result'); if (errors.length > 0) { resultDiv.style.display = 'block'; resultDiv.innerHTML = '⚠ ' + errors.join('⚠ ') + ''; return; }

// --- Age urgency multiplier --- // Logarithmic growth: older unpatched vulns get higher urgency, capped at 2.0 // ageFactor = 1.0 + min(log10(age + 1) / log10(366), 1.0) var ageFactor = 1.0 + Math.min(Math.log10(age + 1) / Math.log10(366), 1.0);

// --- Core Priority Score --- // PriorityScore = (CVSS / 10) * 10 * ExploitMultiplier * AssetMultiplier // * ExposureMultiplier * AgeFactor * PatchMultiplier // Normalised to a 0–100 scale var rawScore = (cvss / 10) * 10 * exploit * asset * exposure * ageFactor * patch;

// Maximum theoretical raw score: // (10/10)10 * 2.0 * 2.0 * 2.0 * 2.0 * 1.6 = 10 * 2222*1.6 = 10 * 25.6 = 256 var maxRaw = 10 * 2.0 * 2.0 * 2.0 * 2.0 * 1.6; var priorityScore = Math.min((rawScore / maxRaw) * 100, 100); priorityScore = Math.round(priorityScore * 10) / 10;

// --- Priority Band --- var band, bandColor, sla; if (priorityScore >= 75) { band = "Critical"; bandColor = "#c0392b"; sla = "Remediate within 24 hours"; } else if (priorityScore >= 50) { band = "High"; bandColor = "#e67e22"; sla = "Remediate within 7 days"; } else if (priorityScore >= 25) { band = "Medium"; bandColor = "#f1c40f"; sla = "Remediate within 30 days"; } else { band = "Low"; bandColor = "#27ae60"; sla = "Remediate within 90 days"; }

// --- CVSS Severity label --- var cvssLabel; if (cvss >= 9.0) cvssLabel = "Critical"; else if (cvss >= 7.0) cvssLabel = "High"; else if (cvss >= 4.0) cvssLabel = "Medium"; else if (cvss > 0.0) cvssLabel = "Low"; else cvssLabel = "None";

// --- Output --- resultDiv.style.display = 'block'; resultDiv.innerHTML = '### Remediation Priority Score: ' + priorityScore.toFixed(1) + ' / 100 ' + 'Priority Band: ' + band + '

' + 'Recommended SLA: ' + sla + '

' + '' + 'CVSS Base Score: ' + cvss.toFixed(1) + ' (' + cvssLabel + ')

' + 'Exploit Multiplier: ×' + exploit.toFixed(1) + '

' + 'Asset Criticality Multiplier: ×' + asset.toFixed(1) + '

' + 'Exposure Multiplier: ×' + exposure.toFixed(1) + '

' + 'Age Urgency Factor: ×' + ageFactor.toFixed(3) + ' (' + age + ' days)

' + 'Patch Availability Multiplier: ×' + patch.toFixed(1) + '

' + 'Raw Score: ' + rawScore.toFixed(3) + ' (max possible: ' + maxRaw.toFixed(1) + ')

'; }

#### Formula

Raw Score = (CVSS ÷ 10) × 10 × Em × Am × Xm × Fage × Pm

Priority Score = min( Raw Score ÷ Max Raw Score × 100, 100 )

Age Urgency Factor Fage = 1 + min( log10(days + 1) ÷ log10(366), 1.0 )

Max Raw Score = 10 × 2.0 × 2.0 × 2.0 × 2.0 × 1.6 = 256

Variable Symbol Range

CVSS Base ScoreCVSS0.0 – 10.0 Exploit MultiplierEm1.0 – 2.0 Asset CriticalityAm0.5 – 2.0 Network ExposureXm0.5 – 2.0 Age Urgency FactorFage1.0 – 2.0 Patch MultiplierPm1.0 – 1.6

Priority Bands: ■ Critical (75–100) ■ High (50–74) ■ Medium (25–49) ■ Low (0–24)

#### Assumptions & References

CVSS Base Score follows the CVSS v3.1 specification published by FIRST (Forum of Incident Response and Security Teams). Scores range from 0.0 (None) to 10.0 (Critical).
Exploit multipliers are derived from the CVSS Temporal / Exploit Code Maturity metric and the CISA Known Exploited Vulnerabilities (KEV) Catalog weighting approach.
Asset criticality and network exposure multipliers align with the NIST SP 800-30 Rev. 1 risk assessment framework for impact and likelihood weighting.
The age urgency factor uses a logarithmic scale (base 10, normalised to 1 year = 365 days) so that urgency grows quickly in the first weeks and plateaus for very old vulnerabilities, reflecting real-world patching dynamics.
The patch availability multiplier reflects the CVSS Remediation Level temporal metric: official fix < workaround < unavailable.
Recommended SLA thresholds are consistent with PCI DSS 4.0 (critical: 1 day), NIST CSF, and common enterprise vulnerability management policies.
This calculator provides a relative triage score and does not replace a full risk assessment. Scores should be reviewed alongside business context and threat intelligence.

Vulnerability Remediation Priority Calculator

Vulnerability Remediation Priority Calculator

More Calculators

Read Next

References

Vulnerability Remediation Priority Calculator

Vulnerability Remediation Priority Calculator

More Calculators

Read Next

References

Related Authorities