VRM 3.0 Calculator

Vulnerability Risk Model — Risk-informed prioritization

Stage 0 Start Here

CVSS × EPSS = Base Risk. Enter a CVE to calculate the foundation score.

CVE ID:

Stage 1 Add Context

Add +1 for each context factor that applies to the affected system.

Processes PII, PHI, or sensitive data +1

Externally facing (internet accessible) +1

Runs on End-of-Life OS +1

High vulnerability density (5+ vulns with CVSS ≥ 5.0) +1

Stage 2 Advanced

Add age-based urgency to prevent "forever findings" from being ignored.

Disabled 10 ← years per +1 → 1

Age modifier: Disabled

Start conservative (+1 per 10 years), then incrementally tighten to create healthy pressure on long-lived vulnerabilities.

CVE Information

CVE ID

CVE Age

CVSS Base Score

CVSS Version

EPSS Probability

EPSS Percentile

Score Breakdown

Stage 0: CVSS × EPSS

Stage 1: Context modifiers

Stage 2: Age modifier

Final VRM Score

VRM 3.0 Risk Score

Data sources: NVD (CVSS) + FIRST (EPSS)

Last updated: Loading...

Learn more: vulnerabilityriskmodel.com