Vulnerabilities by VPR

Tenable calculates a dynamic Vulnerability Priority Rating (VPR) for most vulnerabilities. VPR is a unique vulnerability severity rating in that the rating can change over time. Tenable updates a vulnerability's VPR score daily to reflect the current threat landscape. VPR ranges are values from 0.1-10, with the highest value representing a higher likelihood of exploitation.

VPR severity ratings cannot be edited or customized. VPR scores are derived from seven key drivers:

  • Age of Vulnerability: - The number of days since the National Vulnerability Database (NVD) published the vulnerability.

  • CVSSv3 Impact Score - The NVD-provided CVSSv3 impact score for the vulnerability. If the NVD did not provide a score, Tenable Vulnerability Management displays a Tenable-predicted score.

  • Exploit Code Maturity - The relative maturity of a possible exploit for the vulnerability based on the existence, sophistication, and prevalence of exploit intelligence from internal and external sources (e.g., Reversinglabs, Exploit-db, Metasploit, etc.). The possible values (High, Functional, PoC, or Unproven) parallel the CVSS Exploit Code Maturity categories.

  • Product Coverage - The relative number of unique products affected by the vulnerability: Low, Medium, High, or Very High.

  • Threat Sources - A list of all sources (e.g., social media channels, the dark web, etc.) where threat events related to this vulnerability occurred. If the system did not observe a related threat event in the past 28 days, the system displays No recorded events.

  • Threat Intensity - The relative intensity based on the number and frequency of recently observed threat events related to this vulnerability: Very Low, Low, Medium, High, or Very High.

  • Threat Recency - The number of days (0-180) since a threat event occurred for the vulnerability.

The Vulnerability Priority Rating Using VPR widget for Tenable Vulnerability Management displays the vulnerability count, organized by Vulnerability Priority Rating (VPR) category from the traditional vulnerability scans collected using Nessus scanners. VPR is a dynamic metric representing the likelihood of a vulnerability being exploited and its severity. Tenable recommends remediating vulnerabilities with a higher VPR first.

Drilling Down in Tenable Vulnerability Management

Drilling down in the widget enables a more refined search, based on specified conditions. To display all assets with a VPR rating of 9.0-10, click on the summary button, shown in the image above. The findings can be sorted by Asset (1) and more filters can be applied by clicking on the Advanced filter (2).

For example, to only display assets having vulnerabilities with a VPR greater than or equal to 9 and a CVSS score of Critical and High, filter out the Medium and Low CVSS vulnerabilities by checking the boxes under Severity “is not equal to” (1), and click on Apply (2). The Medium and Low severity vulnerabilities are now filtered out (3).