Skip to content

patrickmgarrity/vulnerability-scoring-systems

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

37 Commits
README.md
README.md
 
 

Repository files navigation

A List of Vulnerability Scoring Systems

Vulnerability Scoring System Release Date Paper/Algorithm Notes
Actionable Exploit Assessment System (AEAS) Sep 2025 Academic paper, Open source on GitHub Novel academic research, LLM-based
Amazon Inspector Score Nov 2021 Proprietary Commercial, AWS-specific, contextual risk scoring
Armis AI Powered Risk Score ~2020-2024 Proprietary, AI Commercial, Asset-focused, commercial IoT/OT security
Armorcode Risk Scoring Proprietary Commercial
Cisco Security Risk Score Dec 2023 (rebrand) Proprietary Cisco-acquired technology (formerly Kenna Risk Score (2021)), commercial
Coalition Exploit Scoring System (ESS) Jun 2023 Public tool, AI/LLM-based Adoption primarily by Coalition customers
Common Vulnerability Scoring System (CVSS) v2 June 2007 industry standard
Common Vulnerability Scoring System (CVSS) V3.1 Jun 2019 Open standard by FIRST Ubiquitous industry standard
Common Vulnerability Scoring System (CVSS) V4 Nov 2023 Open standard by FIRST Latest CVSS, growing adoption
Common Weakness Scoring System (CWSS) 2011 Open standard by MITRE Weakness-focused, limited adoption
Damage, Reproducibility, Exploitability, Affected Users, and Discoverability (DREAD) 2002 Book: "Writing Secure Code" 2nd ed Deprecated by Microsoft, still used
Exploit Prediction Scoring System (EPSS) Jan 2021 Academic paper, Proprietary Model ML-based prediction
Lacework FortiCNAPP Risk Score Feb 2022 Proprietary Commercial, Fortinet-acquired, CNAPP-focused
Google Attack Exposure Score Jun 2023 Proprietary commercial, GCP-specific, attack path analysis
IBM X-Force Threat Score ~2020 Proprietary Commercial
Ivanti Vulnerability Risk Rating (VRR) Apr 2020 Proprietary Nomenclature standardization, commercial
Likely Exploited Vulnerabilities (LEV) May 2025 NIST white paper CSWP 41, Public New NIST guidance, post-exploitation focus
Mend Priority Score Apr 2021 Proprietary Commercial
Microsoft Exposure Score Jun 2019 Proprietary Commercial, Microsoft ecosystem only
NIST Cyber Risk Scoring (CRS) Feb 2021 NIST internal tool, not public NIST internal use, not released
Nopsec Risk Score ~2016-2019 Proprietary, ML-based commercial Commercial
Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) Sep 1999 CMU/SEI Technical Report, Public CMU/SEI framework, enterprise risk
Orca Risk Score Feb 2024 Proprietary Cloud-native security, commercial
OWASP AI Vulnerability Scoring System (AIVSS) Jul 2025 (v0.5) Open framework, OWASP project AI/ML-specific, very new
Phoenix Security Proprietary Commercial
Prisma Cloud Risk Score Unknown Proprietary Commercial
Process for Attack Simulation and Threat Analysis (PASTA) 2015 Book: "Risk Centric Threat Modeling" Threat modeling framework, established
Qualys Detection Score (QDS) Jun 2022 Proprietary Commercial, TruRisk component
Qualys TruRisk Jun 2022 (VMDR 2.0) Proprietary, Qualys commercial Commercials
Rapid7 Active Risk Sep 2023 Proprietary, threat-aware commercial Commercial
Recorded Future Risk Score Proprietary Commercial
SecScore May 2024 Academic paper Research methodology, academic
Social Risk Score (SRS)
Snyk Priority Score Aug 2020 Proprietary, commercial SCA Snyk commercial, DevSec focus
Stakeholder-Specific Vulnerability Categorization (SSVC) 2019 Open framework, CMU/CISA Decision tree approach, growing use
Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege (STRIDE) Late 1990s Microsoft SDL framework Classic threat modeling, widely used
Variable Impact-Exploitability Weightage Scoring System (VIEWSS) Apr 2023 Academic paper, Research Academic research, limited adoption
Veracode Security Quality Score Pre-2016 Proprietary Commercial
Vulnerability Priority Rating (VPR) 2019 Proprietary, patented by Tenable Commercial
Vulnerability Impact Scoring System (VISS) Mar 2023 Open source, GPL 3.0 defender-focused
Vulnerability Lookup AI (VLAI) Jul 2025 Open source, GPL 3.0 RoBERTA based classifier using English and Chinese corpora (viz the vulnerability databases and advisories CIRCL aggregates)
Vulnerability Rating and Scoring System (VRSS) 2010-2011 Academic paper Academic research, pre-CVSS v3
VulDB CTI Interest Score / CTI Activity Score Unknown Proprietary, commercial threat intel Commercial
Weighted Impact Vulnerability Scoring System (WIVSS) 2013 Academic paper, ACM Academic research, limited adoption
Other Related Scoring Systems Release Date Paper/Algorithm Notes
ISO/IEC 27005 Jun 2008 ISO standard (latest: Oct 2022) Enterprise risk management framework
Real-World Risk Score (RWRS) Unknown Proprietary, UK Cyber Defence Commercial VM vendor proprietary

Credit to Chris Langton for putting the initial list together

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

25 stars

Watchers

5 watching

Forks

6 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors