One number that tells you what to fix first
CVSS tells you how bad a vulnerability could be in theory. VaultScore tells you how bad it is for you, today, in your codebase.
The four inputs
VaultScore is a 0–10 score, computed continuously, that combines four signals. The weighting is published — no black-box AI. You can see exactly why a finding scored what it did.
20%
CVSS Base
Theoretical severity. The starting point — but not the whole story.
25%
EPSS
FIRST.org probability that this CVE is exploited in the wild within 30 days.
25%
CISA KEV
Is this vulnerability in CISA's Known Exploited Vulnerabilities catalog right now?
30%
Reachability
Import-level analysis: is the vulnerable package actually imported/used in your code? (Function-level call-graph is on the roadmap.)
How it changes your queue
Three real-shaped findings, scored both ways. Notice how VaultScore reorders the queue around what matters.
| CVE | CVSS | EPSS | KEV | Reachable | VaultScore | Why |
|---|---|---|---|---|---|---|
| CVE-2024-12345 | 9.8 | 2% | No | No | 3.2 | High CVSS but in an unused transitive dependency, low EPSS, not in KEV. |
| CVE-2024-67890 | 6.5 | 74% | Yes | Yes | 9.1 | Moderate CVSS but actively exploited, high EPSS, and reachable from your auth path. |
| CVE-2024-11111 | 8.1 | 31% | No | Yes | 7.4 | High CVSS, reachable, moderate EPSS — solid candidate for next sprint. |
What we don't do
VaultScore is not a replacement for your security team's judgment. It's a pre-sorted queue. The decisions about what to patch, what to compensate, and what to accept are still yours.
We also don't hide the math. The weighting above is the actual weighting. You can adjust it per-organization (Enterprise) if your environment changes the calculus — for example, if you ship air-gapped, EPSS matters less and KEV matters more.
And we don't claim VaultScore is perfect. It's a better starting point than CVSS-alone, which is why our customers ship faster patches with smaller queues. That's the goal.
Stop drowning in critical CVE alerts
Try SBOMVault free and see your VaultScore-prioritized queue inside your first 10 minutes.
Start for free