Calculator

VRM 3.0 Calculator

Risk-informed prioritization. Enter a CVE; the calculator pulls live CVSS and EPSS, then layers your business context on top.

Stage 0 Start here

CVSS × EPSS = Base Risk. Enter a CVE to calculate the foundation score.

CVE ID

Stage 1 Add context

Pick a mode per factor. +1 score adds one point to the final number. +1 severity promotes the finding one criticality tier. Tune defaults to match your risk tolerance, or add your own factors below.

Processes PII, PHI, or sensitive data

Externally facing (internet accessible)

Runs on End-of-Life OS

High vulnerability density (5+ vulns with CVSS ≥ 5.0)

Stage 2 Advanced

Add age-based urgency to prevent "forever findings" from being ignored.

Disabled 10 ← years per +1 → 1

Age modifier: Disabled

Start conservative (+1 per 10 years), then incrementally tighten to create healthy pressure on long-lived vulnerabilities.

Results

CVE Information

CVE ID

CVE Age

CVSS Base Score

CVSS Version

EPSS Probability

EPSS Percentile

Details View on CVEDetails.com

Score Breakdown

Stage 0: CVSS × EPSS

Stage 1a: Score modifiers

Stage 1b: Severity modifiers

Stage 2: Age modifier

Final VRM Score

VRM 3.0 Risk Score

Note: The SLA timeframes above are traditional static benchmarks. For dynamic SLA clocks that adjust as criticality changes, see the SLA Clock Calculator.

Data sources: NVD (CVSS) + FIRST (EPSS)

Last updated: Loading…