Vulnerability Remediation Priority Calculator

Calculate a weighted remediation priority score to help security teams triage and schedule vulnerability fixes based on severity, exploitability, asset value, and network exposure.

CVSS Base Score (0.0 – 10.0)

Exploit Availability

Asset Criticality

Network Exposure

Days Since Vulnerability Disclosed

Patch / Fix Available?

Formula

Raw Score = (CVSS ÷ 10) × 10 × E_m × A_m × X_m × F_age × P_m

Priority Score = min( Raw Score ÷ Max Raw Score × 100, 100 )

Age Urgency Factor F_age = 1 + min( log₁₀(days + 1) ÷ log₁₀(366), 1.0 )

Max Raw Score = 10 × 2.0 × 2.0 × 2.0 × 2.0 × 1.6 = 256

Variable	Symbol	Range
CVSS Base Score	CVSS	0.0 – 10.0
Exploit Multiplier	E_m	1.0 – 2.0
Asset Criticality	A_m	0.5 – 2.0
Network Exposure	X_m	0.5 – 2.0
Age Urgency Factor	F_age	1.0 – 2.0
Patch Multiplier	P_m	1.0 – 1.6

Priority Bands: ■ Critical (75–100) ■ High (50–74) ■ Medium (25–49) ■ Low (0–24)

Assumptions & References

CVSS Base Score follows the CVSS v3.1 specification published by FIRST (Forum of Incident Response and Security Teams). Scores range from 0.0 (None) to 10.0 (Critical).
Exploit multipliers are derived from the CVSS Temporal / Exploit Code Maturity metric and the CISA Known Exploited Vulnerabilities (KEV) Catalog weighting approach.
Asset criticality and network exposure multipliers align with the NIST SP 800-30 Rev. 1 risk assessment framework for impact and likelihood weighting.
The age urgency factor uses a logarithmic scale (base 10, normalised to 1 year = 365 days) so that urgency grows quickly in the first weeks and plateaus for very old vulnerabilities, reflecting real-world patching dynamics.
The patch availability multiplier reflects the CVSS Remediation Level temporal metric: official fix < workaround < unavailable.
Recommended SLA thresholds are consistent with PCI DSS 4.0 (critical: 1 day), NIST CSF, and common enterprise vulnerability management policies.
This calculator provides a relative triage score and does not replace a full risk assessment. Scores should be reviewed alongside business context and threat intelligence.
References: FIRST CVSS v3.1 Specification (https://www.first.org/cvss/), CISA KEV Catalog, NIST SP 800-30 Rev. 1, PCI DSS v4.0.

Vulnerability Remediation Priority Calculator

Formula

Assumptions & References

More Calculators

In the network

Network