Vulnerability Priority Rating

Vulnerability Priority Rating (VPR), the output of Tenable Predictive Prioritization, helps organizations improve their remediation efficiency and effectiveness by rating vulnerabilities based on severity level – Critical, High, Medium, and Low – determined by two components: technical impact and threat. Technical impact measures the impact on confidentiality, integrity, and availability following exploitation of a vulnerability. It is equivalent to the CVSSv3 impact subscore.

The threat component reflects both recent and potential future threat activity against a vulnerability. Some examples of threat sources that influence VPR are public proof-of-concept (PoC) research, reports of exploitation on social media, emergence of exploit code in exploit kits and frameworks, references to exploitation on the dark web and hacker forums, and detection of malware hashes in the wild. Such threat intelligence is key in prioritizing those vulnerabilities that pose the most risk to an organization.