Some organizations may believe that having few security vulnerabilities is a reason for peace of mind. However, rather than focusing on the number of security issues, we should consider the risk exposure they represent.

Teams should recognize that, for instance, having ten vulnerabilities with a CVSS score of 1.0 in an application does not represent the same degree of risk exposure as having one vulnerability with a score of 10.0.

In an effort to help organizations better prioritize their vulnerability remediation actions, Fluid Attacks created a metric called CVSSF, which follows this equation: CVSSF = 4^(CVSS-4). In short, CVSSF provides a more evident differentiation of values than CVSS, allowing an application's vulnerabilities that represent a higher risk exposure to gain greater visibility.

Thus, following the example above and considering the equivalences in the table below, we can multiply vulnerability quantities by their corresponding CVSSF scores to see that we do not get the same result of 10.0 as occurred with CVSS. In this case, the results are 0.2 (i.e., 10×0.02) on one side and 4,096 (i.e., 1×4,096) on the other, which is a huge difference, perhaps closer to reality.