Case file

Vulnerability classes, CVSS prioritization, and research databases

Foundations risk engagement: classified OS privilege escalation and cookie-auth bypass as Operating System and Application Logic flaws; briefed CVSS qualitative bands and the role of CVE/NVD/Exploit-DB in engagement research.

Foundations16 minVulnerability Management · CVSS · CVE · Risk
  • Defined vulnerability categories, scored risk with CVSS bands, and framed research workflow for an ACKme-style engagement.

  • Documented category answers and CVSS rating scale for the risk register.

01

Engagement summary

Defined vulnerability categories, scored risk with CVSS bands, and framed research workflow for an ACKme-style engagement.

VULNERABILITIES 101 aligned the client’s language with NIST-style weakness definitions. Five practical categories: Operating System (user→administrator privilege escalation), Misconfiguration, Weak/Default Credentials, Application Logic (cookie-based auth bypass), and Human-Factor (phishing). Scoring: CVSSv3.1 qualitative bands None/Low/Medium/High/Critical (9.0–10.0 Critical) — useful for severity, imperfect for prioritization because exploit availability and environmental context matter. Research stack for engagements: CVE identifiers, NVD detail, Exploit-DB/GitHub PoCs under authorization only. Operator briefing stresses that only a small fraction of published vulns are ever exploited in the wild — patch priority must combine CVSS with asset criticality and threat intel, not score alone.

Business impact

Treating every Medium as equal burns remediation capacity. Mis-classifying logic bugs as “just config” delays the right owner. Without CVE/NVD discipline, teams chase blog PoCs that do not match the installed version.

02

Class examples and CVSS bands

Documented category answers and CVSS rating scale for the risk register.

ANALYST · RISK

savvy@lab:~$ # user → administrator privilege upgrade

class: Operating System

savvy@lab:~$ # login bypass via forged cookies

class: Application Logic

savvy@lab:~$ # CVSSv3.1 Critical band

9.0 – 10.0

CVSS BANDS

cvss-bands.txt

None      0
Low       0.1 – 3.9
Medium    4.0 – 6.9
High      7.0 – 8.9
Critical  9.0 – 10.0

Research: CVE → NVD → authorized PoC sources

Remediation

Build a vulnerability management loop: discover → score (CVSS + business context) → patch/compensate → verify. Prefer VPR/threat-informed ranking alongside CVSS. Keep a curated allowlist of research sources for the SOC and red team.