Manage fix prioritization policies | Fluid Attacks Help

Manage fix prioritization policies

Role requirement infoRole required: User Manager
The Priority section within Policies allows you to configure your organization's decisions for prioritizing vulnerability remediation based on multiple criteria, most of which are based on the CVSS metrics.

View prioritization policies on the Fluid Attacks platform

Follow these steps to add a new prioritization policy:
  1. In the Priority section, click on Add criteria.

  2. Select a category corresponding to your criterion to prioritize a vulnerability.
  3. Select prioritization category on the Fluid Attacks platform
    Advice on understanding prioritization categories
    Find the description of the metrics based on the CVSS in the official framework documentation.
  4. Choose a criterion from the selected category. The following example shows prioritization based on the Technique to discover the vulnerability (this and Vulnerability reachability are the only categories which are not a metric in the CVSS).
  5. Select prioritization criteria on the Fluid Attacks platform
  6. Enter a score between -1000 and 1000. This score will be added to the Priority score of every vulnerability that meets the selected criterion, thus helping your team prioritize the most important vulnerabilities to remediate according to your own context and knowledge.
  7. Manage prioritization policies on the Fluid Attacks platform
    Info
    Since negative values are permitted, and vulnerabilities' Priority score are expressed in percentages, whenever the calculation of the percentage returns a negative value, the platform shows "0.0%" instead.
    Advice on adding more criteria
    If necessary, you can add further criteria within that category by clicking on the plus icon.
  8. Click Confirm to add the policy.
You can add as many policies as needed, which are then applied across every group in the organization.
Note on the prioritization score
Note: The Priority score column of the table in Vulnerabilities derives its value from these policies, but also the root's Priority, configured when you added the Git root. You can establish a root to be of Low, Medium, High, or Critical priority, which corresponds to 0, 50, 75, and 100 priority units, respectively. This means that if the root's Priority is marked as High, every vulnerability reported from that root will have an additional 75 units added to its corresponding Priority score. Bear in mind: The default value for the root's Priority is Low. In the case of the example in the steps above, every vulnerability that is detected through PTaaS will be added 100 units to their Priority score. Other variables contributing to the Priority score are individual vulnerability priority given when assigning treatments and a default value derived from the CVSS score, which is calculated with this formula: (4^(CVSS-4)) / 4.096.
Free trial message
Free trial
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.