Vulnerability Priority Scoring

CodeStax assigns a priority score (0-100) to every SCA vulnerability so you can focus on the issues that matter most. The score combines multiple threat intelligence signals into a single actionable number.

How Priority Scores Work

Each vulnerability is scored using a weighted formula that goes beyond raw CVSS to reflect real-world exploitability and business impact.

Scoring Formula

Priority is calculated from multiple factors including severity, exploit probability, reachability, known exploitation status, and fix availability.

Priority Levels

Four priority levels: Critical, High, Medium, Low — each representing increasing urgency based on the composite score.

Using the Priority Page

1. Navigate to Dashboard → SCA → Priority
2. Use the level filter to show only Critical, High, Medium, or Low findings
3. Sort the table by Priority Score, CVSS, or Package Name using the column headers
4. Click any row to view full vulnerability details and remediation guidance

Key Concepts

EPSS (Exploit Prediction Scoring System)

EPSS is a model that estimates the probability a vulnerability will be exploited in the wild within the next 30 days. A vulnerability with a CVSS of 7.0 but an EPSS of 0.001 is far less urgent than one with a CVSS of 6.0 and an EPSS of 0.85. EPSS helps you prioritize real-world risk over theoretical severity.

CISA KEV (Known Exploited Vulnerabilities)

The CISA KEV catalog is a curated list of vulnerabilities that have been confirmed as actively exploited. If a CVE appears in the KEV catalog, it receives a significant priority boost because exploitation is not theoretical — it is happening now.

Best Practices

1. Triage Critical and High findings first — These have the strongest exploitation signals
2. Don’t ignore Low-scoring CVEs with high EPSS — Exploitation trends can shift quickly
3. Re-scan regularly — EPSS and KEV data update daily, so scores may change over time