VRM 3.0 Calculator

Vulnerability Risk Model: Risk-informed prioritization

Stage 0 Start Here

CVSS × EPSS = Base Risk. Enter a CVE to calculate the foundation score.

CVE ID:

Stage 1 Add Context

Suggested: add +1 for each context factor that applies. Organizations can customize these values to match their risk tolerance (e.g., a full criticality-level increase for externally facing systems).

Processes PII, PHI, or sensitive data +1

Externally facing (internet accessible) +1

Runs on End-of-Life OS +1

High vulnerability density (5+ vulns with CVSS ≥ 5.0) +1

Stage 2 Advanced

Add age-based urgency to prevent "forever findings" from being ignored.

Disabled 10 ← years per +1 → 1

Age modifier: Disabled

Start conservative (+1 per 10 years), then incrementally tighten to create healthy pressure on long-lived vulnerabilities.

Results

CVE Information

CVE ID

CVE Age

CVSS Base Score

CVSS Version

EPSS Probability

EPSS Percentile

Details View on CVEDetails.com

Score Breakdown

Stage 0: CVSS × EPSS

Stage 1: Context modifiers

Stage 2: Age modifier

Final VRM Score

VRM 3.0 Risk Score

Note: The SLA timeframes above are traditional static benchmarks. For dynamic SLA clocks that adjust as criticality changes, see the SLA Clock Calculator.

Data sources: NVD (CVSS) + FIRST (EPSS)

Last updated: Loading...