Home

What is the vulnerability remediation timeline you have adopted for CVSS >= 7.0 vulnerabilities which are only exposed to your Intranet users (not Internet)?

What is the vulnerability remediation timeline you have adopted for CVSS >= 7.0 vulnerabilities which are only exposed to your Intranet users (not Internet)?

Top Comment: CVSS is a great start, but it lacks context. Here's a few questions to start with evaluating the remediation timeline: 1. Who ha. View poll results (601 responses)

1146 views
601 responses
3 upvotes
Between 6-12 months26%
Between 3-6 months15%
Between 2-3 months9%
Between 1-2 months21%
Between 2 weeks to 1 month18%
Between 1-2 weeks9%
Between 0-1 week3%
Related Tags
Anonymous Author
CVSS is a great start, but it lacks context. Here's a few questions to start with evaluating the remediation timeline: 1. Who has access to this vulnerable System? 3rd Party/Contractors? Everyone in The Company? A few Employees? 2. Is accessing the System requires going through VPN or MFA? Is there an audit trail? 3. Are there any Security Controllers deployed before one gets an access this System? 4. Are there any Security Controllers deployed on the System, in case it gets comprised? 5. Is this System contains sensitive data? Can Data be leaked from it? Validating those points (and more), will help establish a more realistic, breach-oriented approach to the problem at hand.
6 upvotes
Anonymous Author
7.0 hits my High rating (Medium tops off at 6.9) so it would need to be fully resolved within 30 days (Medium 60 days).  I use the CVSS score as a starting point and then score to my organization so it may lower/raise the score based on a number of risk factors, including Intranet only.
1 upvotes
Anonymous Author
Cvss is inadequate. I suggest focus on exploitable vulnerabilities and having capacity to remediate new vulnerabilities that show up in the wild. Monitor aging of exploitables and keep those under 60 days.
0 upvotes