Skill Being Reviewed
Skill name: patch-prioritization
Skill path: skills/vuln-management/patch-prioritization/
False Positive Analysis
Scenario: CVSS 9.0+ SLA Enforcement.
Observation: The skill mandates a "7-day SLA" for all Critical (9.0+) vulnerabilities.
Why this is a false positive: Many 9.0+ vulnerabilities have an EPSS score < 0.1% (zero probability of exploitation) and are for air-gapped or non-exposed systems. Patching them in 7 days creates massive operational fatigue.
Recommendation: The skill should allow "Risk-Based SLA Extensions" if the EPSS score is below the 0.05 threshold AND the system is internal-only.
Coverage Gaps
1. CISA KEV 'Ransomware' Metadata:
CISA now tags vulnerabilities in the KEV catalog that are known to be used by ransomware groups. The skill should treat "KEV + Ransomware" as a "Tier 0" (Emergency) patch, regardless of the CVSS score.
2. Compensation Control 'TTL':
Step 5 checks for compensating controls but doesn't check for their expiration. A WAF rule is a "temporary" fix; the skill should require an "Exception Expiry Date" (max 90 days) for all deferred patches.
3. EPSS v3 Trend Analysis:
EPSS v3 (2024) provides daily probability changes. The skill should check if the EPSS trend is increasing, which indicates a new exploit has been released, triggering an automatic SLA "acceleration".
Remediation Quality
Overall Assessment
Excellent use of SSVC and EPSS frameworks. It's much more advanced than standard scanner scoring. Adding the ransomware metadata and EPSS trend analysis would make it a "Best-in-Class" vulnerability management tool.
Bounty Info
Skill Being Reviewed
Skill name:
patch-prioritizationSkill path:
skills/vuln-management/patch-prioritization/False Positive Analysis
Scenario: CVSS 9.0+ SLA Enforcement.
Observation: The skill mandates a "7-day SLA" for all Critical (9.0+) vulnerabilities.
Why this is a false positive: Many 9.0+ vulnerabilities have an EPSS score < 0.1% (zero probability of exploitation) and are for air-gapped or non-exposed systems. Patching them in 7 days creates massive operational fatigue.
Recommendation: The skill should allow "Risk-Based SLA Extensions" if the EPSS score is below the 0.05 threshold AND the system is internal-only.
Coverage Gaps
1. CISA KEV 'Ransomware' Metadata:
CISA now tags vulnerabilities in the KEV catalog that are known to be used by ransomware groups. The skill should treat "KEV + Ransomware" as a "Tier 0" (Emergency) patch, regardless of the CVSS score.
2. Compensation Control 'TTL':
Step 5 checks for compensating controls but doesn't check for their expiration. A WAF rule is a "temporary" fix; the skill should require an "Exception Expiry Date" (max 90 days) for all deferred patches.
3. EPSS v3 Trend Analysis:
EPSS v3 (2024) provides daily probability changes. The skill should check if the EPSS trend is increasing, which indicates a new exploit has been released, triggering an automatic SLA "acceleration".
Remediation Quality
Issues found: The skill misses "Virtual Patching" as a recommended remediation for legacy systems that cannot be physically patched (e.g., medical devices).
Overall Assessment
Excellent use of SSVC and EPSS frameworks. It's much more advanced than standard scanner scoring. Adding the ransomware metadata and EPSS trend analysis would make it a "Best-in-Class" vulnerability management tool.
Bounty Info