The priority ranking is based on all known data about a vulnerability. The Reason to prioritize column is a summary and weighting of key CVSS (Common Vulnerability Scoring System), EPSS (Exploit Prediction Scoring System) and known active ransomware data.
Data influencing priority rank
Severity is based on the vulnerability's CVSS score. An open industry standard, CVSS uses a formula of several access and impact metrics to calculate the severity of the vulnerability.
This table shows the tags we've assigned corresponding to CVSS scores.
Severity
CVSS range
Critical
9.0 - 10.0
High
7.0 - 8.9
Medium
4.0 - 6.9
Low
0.1 - 3.9
Info / None
0.0
Active ransomware are vulnerabilities that have been used in known ransomware campaigns (This data is sourced by New Relic from its official partner network). The severe impacts of ransomware incidents make these vulnerabilities a high priority.
The Cybersecurity & Infrastructure Security Agency (CISA) defines ransomware as "an ever-evolving form of malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable. Malicious actors then demand ransom in exchange for decryption. Ransomware actors often target and threaten to sell or leak exfiltrated data or authentication information if the ransom is not paid."
Exploit probability scores are based on EPSS, which rates the probability that a vulnerability will be exploited in the wild. In these cases, there are known instances of threat actors taking advantage of the vulnerability. EPSS scores can look low out of context, but security experts recommend giving higher priority to all vulnerabilities with an exploit probability above the 85th percentile. This indicates a significant risk that that vulnerability will be exploited.
This table shows the tags we've assigned to each level of exploit probability.
Exploit probability
EPSS percentile
Exploit extremely probable
95%
Exploit very probable
90%
Exploit probable
85%
Example of ranking logic
A vulnerability that's "high" severity with an EPSS of "exploit probable" might rank higher than a vulnerability with a "critical" severity with an EPSS level that's lower than an 85th percentile probability of exploitation.