Severity
How bad could impact be?
CVSS helps describe technical impact, but it does not prove exposure, exploitation, asset importance, or patch safety.
Priority Model
Prioritize from the whole picture, not one score.
Use this model when CVSS, KEV, EPSS, public PoC, exposure, asset criticality, patch availability, and owner evidence point in different directions.
Factors
The signals that should change action order
Exploitation
Is exploitation known or plausible?
KEV, public PoC, exploit maturity, and credible reporting should accelerate validation without replacing local proof.
Exposure
Can the vulnerable path be reached?
Internet-facing, partner-facing, authenticated, internal-only, feature-disabled, or compensating-control states change the lane.
Asset Context
What business function is at risk?
Critical service, identity plane, safety process, regulated data, and blast radius can make lower scores urgent.
Patchability
Can remediation happen safely?
Fixed version, rollback, HA order, maintenance windows, vendor support, and downtime tolerance shape the action path.
Evidence Quality
How strong is the proof?
Scanner-only, owner-only, telemetry-only, vendor-only, and combined evidence should not be treated as equal.
Decision Examples
Same severity, different priority
Critical but not reachable
A critical unauthenticated RCE affects a component that is not installed or is blocked by architecture. Priority becomes evidence closure and monitoring, not emergency patching.
Medium but identity-facing
A medium issue affects token validation on a production identity service. Priority may outrank higher CVSS items because blast radius and exposure are stronger.
KEV but patch unsafe today
Known exploitation plus exposed asset demands action, but a risky patch window may require temporary controls, SOC monitoring, and leadership decision language.
Recommended route: score context, prove exposure, choose lane, then write the owner handoff with caveats.