The CVSS scores rate those of 9.0 and up to be critical, whereas the patch impacts have shown critical with CVEs of scores much lower (have seen 7.7 as the highest for an old patch, never mind all the newer ones that don't have scores yet, or even show any CVEs)
It appears that 'Patch Impacts' of Critical, only means there is a CVE assigned to it, without regard of actual rating of that CVE (never mind factoring in KEV yet)
Could Craig Wilson or others confirm that understanding for me? Perhaps we should update the help text for 'critical'?
This leads to some communications challenges between the security focused and those handling workstation management.
How do others handle this notable discrepancy, given that insurance tends to prioritize those CVSS of 9.0+ as needing to be patched within days, vs the lesser ones can be later(weeks)?
I have a dashboard dashlet of CVEs sorted by Most Severe/CVSS score, and use that to crack the whip the best I can (Internal is overly conflict avoidance, so getting restarts done to finish patches is such a challenge, and I as external can only do so much)
________________________
Andy of KonecnyConsulting.ca in Toronto
Please use the "Like" and/or "Verified Answers" as appropriate as that helps us all.