VRM
VRM 3.0 VulnerabilityRiskModel.com
VRM 3.x + CNA collaboration

The Future of VRM: Partnering with CVE Issuers

Small additions at CVE creation time can dramatically improve downstream risk modeling accuracy in VRM 3.x. By adding standardized exploitability hints, CNAs can help every consumer differentiate real-world risk per asset type.

Collaborate on exploitability tags Get VRM 3.x updates
Built on CVSS (impact) and EPSS (likelihood) Adds exploitability shape to asset-aware risk scoring

Why CVE tags matter

VRM 3.0 blends CVSS (impact), EPSS (likelihood), and asset/business context (sensitivity, criticality, lifecycle, exposure). The next frontier is tiny, standardized exploitability “shape” metadata added during CVE creation. This does not replace scoring systems; it adds a high-value, low-friction hint about how the vulnerability is typically exploited and enables VRM 3.x to differentiate risk per asset type.

Exploitability insight at the source

CVE issuers have the earliest, clearest understanding of how a vulnerability is reached. Capturing that shape at publication gives defenders a durable signal that travels with the CVE.

  • Zero friction for VRM adopters: the hint is already in the CVE.
  • Complements CVSS and EPSS instead of competing with them.
  • Creates consistent language for downstream tooling.

Better prioritization per asset

With exploitability shape, the same CVE scores differently on a workstation, a hardened backend server, or a field-deployed device. VRM 3.x can elevate the risks that match each asset’s reality while de-emphasizing those that do not.

  • Workstations vs. servers vs. appliances are treated uniquely.
  • Noise drops and remediation queues focus on what matters.
  • Models stay simple while adding meaningful nuance.

How CVSS 4.0 moves the needle (and where the gap remains)

CVSS 4.0, released by FIRST in November 2023, made meaningful improvements to vulnerability scoring. Several of its new features align with the problems VRM is solving, but a critical gap remains: there is still no CNA-supplied signal that automatically differentiates risk per asset type.

What CVSS 4.0 improved

  • Attack Requirements (AT): A new metric split from Attack Complexity that captures deployment-specific conditions (race conditions, specific configurations, MitM positioning) beyond the attacker's control.
  • User Interaction expanded: Now has three values (None, Passive, Active) instead of two, better capturing the difference between involuntary interaction (loading a page) and conscious action (opening a file).
  • Supplemental metrics: New informational fields including Automatable (can exploitation be automated?), Value Density (richness of target resources), Recovery (system recoverability), and Safety (relevance to human life for OT/medical devices).
  • Better impact modeling: Scope was replaced with Vulnerable System and Subsequent System impact splits, giving more precise impact measurements.

Where the gap remains

  • No per-asset-type scoring at the source. CVSS 4.0's Environmental metrics can produce different scores per asset, but require manual per-CVE customization by each organization. In practice, very few teams use them because it does not scale.
  • Supplemental metrics do not affect the score. The most operationally useful new fields (Automatable, Value Density, Safety) are informational only and excluded from score calculation.
  • No operational "shape" signal. CVSS 4.0's Attack Vector (Network/Adjacent/Local/Physical) describes how a vulnerability is exploited, but not what kind of asset it matters on. AV:Network could be a server-side RCE or a client-side drive-by; those have very different risk profiles per asset type.
  • Still standalone. CVSS 4.0 has no built-in mechanism to incorporate threat likelihood data like EPSS. VRM's core formula (CVSS x EPSS + context) bridges that gap.

CVSS 4.0 and VRM are complementary

CVSS 4.0 provides a stronger impact foundation for VRM's base calculation. VRM adds what CVSS 4.0's architecture does not deliver: CNA-supplied exploitability tags that automatically differentiate risk per asset type, EPSS integration for likelihood, and business context modifiers from your CMDB.

The exploitability tags VRM proposes map naturally to CVSS 4.0's Attack Vector values but go further. Where AV tells you the technical access path, VRM tags tell you the operational reality: #RemoteService for network-listening services (high risk on servers, low on workstations), #LocalApplication for user-interaction exploits (high risk on workstations, low on servers), and #PhysicalAccess for proximity-based attacks (high risk on field devices, low in locked datacenters).

CNAs tag once at CVE creation. Every downstream consumer benefits automatically, without manual Environmental metric customization.

GCVE: a decentralized alternative to CVE

The vulnerability identification landscape is evolving. The GCVE system, operated by CIRCL (Luxembourg's national CSIRT), introduces decentralized vulnerability numbering that eliminates single points of failure. VRM needs to be ready for a world where not every vulnerability has a CVE ID.

What is GCVE?

GCVE was publicly announced in April 2025, the same day the MITRE CVE funding crisis revealed how fragile a single-authority model can be. By January 2026, db.gcve.eu went live, aggregating data from 25+ sources.

  • Decentralized numbering. GCVE Numbering Authorities (GNAs) allocate IDs independently, without waiting for a central authority. 29 GNAs are registered, including CIRCL, ENISA (EUVD), Red Hat, Cisco Talos, Siemens, VulnCheck, and others.
  • Backward-compatible. All existing CVE IDs map into GCVE under GNA-0 (e.g., CVE-2023-40224 becomes GCVE-0-2023-40224). GCVE complements CVE rather than replacing it.
  • No single point of failure. GCVE is not dependent on a single government contract. GNAs define their own policies and manage their own allocations.

What this means for VRM

GCVE creates both opportunity and challenge for risk models that depend on CVE IDs to look up CVSS and EPSS data.

  • EPSS blind spots. EPSS is currently keyed entirely to CVE IDs. GCVE-only vulnerabilities would have no EPSS score unless FIRST extends their model, making VRM's base calculation (CVSS x EPSS) impossible for those findings.
  • Fragmentation risk. Organizations may need to monitor both CVE and GCVE feeds. Without unified deduplication, alert fatigue could worsen.
  • VRM's response. For GCVE-only vulnerabilities, VRM falls back to tool-native severity with context modifiers applied, the same approach used for any finding missing CVSS or EPSS data. Internal analysis and remapping fill the gap until scoring data catches up.

Vulnerabilities without CVEs

Not every security finding carries a CVE or GCVE identifier. Misconfigurations, internal application flaws, vendor-specific advisories, and emerging zero-days may lack the CVSS and EPSS data that VRM's base calculation depends on. A mature vulnerability management program needs a consistent approach for these gaps.

Why non-CVE findings score higher

When EPSS data is missing, the base calculation (CVSS x EPSS) cannot run. Falling back to tool-native severity means the EPSS multiplier never reduces the score. The result: non-CVE findings typically land at higher criticality than equivalent CVE-backed findings because there is no exploit-probability data to refine them downward.

This is by design. Without data to quantify likelihood, the model errs on the side of caution. Teams should expect a larger proportion of non-CVE findings in the High and Critical tiers.

Recommended handling

  • Use tool-native severity as the starting criticality. Most scanners, DAST, and SAST tools assign their own severity levels.
  • Apply Stage 1 context modifiers on top of the tool severity. Business context still matters even without a CVE.
  • Flag for internal analysis. These findings will often need static remapping: a full override (fixed criticality, no modifiers applied) or a partial override (new base criticality with modifiers still applied per system).
  • Transition to full VRM scoring as data becomes available (CVE or GCVE assigned, EPSS catches up, CVSS published).

The three exploitability tags

Every vulnerability typically aligns with one or more exploit paths. These three tags are the core primitives.

#LocalApplication

Definition:

Vulnerabilities where exploitation typically requires local code execution or user interaction, such as opening a file, visiting a webpage, or executing an untrusted binary.

Characteristics:

  • Often starts with phishing, malicious documents, drive-by sites, or user actions.
  • Includes local privilege escalation requiring code already running on the system.

Examples:

  • Chrome RCE requiring user to visit a malicious webpage.
  • Office document macro exploit delivered by phishing.
  • Local privilege escalation where the attacker must already be running code.

#RemoteService

Definition:

Vulnerabilities in services or applications that listen on a network port and accept inbound connections.

Characteristics:

  • Classic server-side exposure.
  • Relevant to internet-facing, DMZ, and internal services.

Examples:

  • RCE in a VPN appliance.
  • Web server or API endpoint exploitable without authentication.
  • RDP/SSH vulnerabilities reachable over the network.

#PhysicalAccess

Definition:

Vulnerabilities where exploitation requires physical presence or direct hardware-level/proximity interaction with the device.

Characteristics:

  • Requires plugging in a peripheral, accessing a port, or being near the device.
  • Often applies to kiosks, medical devices, embedded systems, IoT, field equipment, laptops, and specialized hardware.

Examples:

  • USB-based privilege escalation requiring physical insertion of a device.
  • JTAG/UART debug modes that bypass authentication.
  • Bootloader exploitation only accessible at power-on with console access.
  • NFC/Bluetooth/WiFi-proximity attacks requiring attacker presence near the device.

How these tags feed into VRM 3.0 and 3.x

VRM uses these tags as context-aware modifiers to reflect how assets are actually attacked.

Workstations

  • Elevate #LocalApplication (users browse, click, open files).
  • Reduce #RemoteService (endpoints should have few/no exposed services, host firewalls isolate inbound traffic).
  • #PhysicalAccess depends on environment (office vs public kiosk).

Servers

  • Elevate #RemoteService (core attack surface for business-critical services).
  • Reduce #LocalApplication (servers don’t run browsers or productivity apps).
  • #PhysicalAccess typically low risk unless the device is field-deployed.

Specialized devices (kiosks, medical devices, POS, OT/IoT)

  • Elevate #PhysicalAccess due to public/field exposure.
  • Balance #LocalApplication and #RemoteService based on architecture.

Human-friendly examples:

  • A Chrome RCE (#LocalApplication) is high-risk on employee laptops but almost irrelevant on a hardened backend server.
  • An unauthenticated RCE in a web server (#RemoteService) is critical for servers but meaningless on a workstation that doesn’t run such a service.
  • A USB-based takeover (#PhysicalAccess) is negligible on locked racks in a datacenter but severe on a public kiosk or patient-facing medical device.

What CVE issuers can do today

CNAs can help create a consistent global language for exploitability classification with a few small steps.

  • Add #LocalApplication, #RemoteService, and #PhysicalAccess tags when publishing CVEs.
  • Apply multiple tags if the vulnerability can be used in different contexts (for example, a library used in browsers and servers).
  • Add tag rationale to the CVE metadata or description.
  • Encourage reproducible, standardized tagging across vendors.
  • Help create a consistent global language for exploitability classification.
  • Note: This is not a competing scoring system; it’s a tiny metadata addition with outsized impact.

Roadmap for VRM 3.x

VRM continues to evolve as we partner with CNAs, vendors, and researchers.

Where we are

  • Stage 0 = CVSS × EPSS (base calculation).
  • Stage 1 = Add context modifiers from CMDB.
  • Stage 2 = Add age-based modifiers for healthy habits.

Where we are going

  • VRM 3.x = exploitability tag integration for per-asset-type risk scoring.
  • Building on CVSS 4.0's improved impact modeling and supplemental metrics as a stronger base input.
  • Preparing for GCVE and multi-namespace vulnerability identification (CVE, GCVE, vendor-specific).
  • Collaborating with CNAs and GNAs to standardize tags and rationale.
  • Inviting vendors and researchers to pressure-test and refine the approach.

Together we can make risk modeling clearer, faster, and more aligned to how vulnerabilities are actually exploited.

Join us in shaping VRM 3.x

CVE issuers and vendors: collaborate on exploitability tagging so every CVE ships with a consistent signal. Security leaders: subscribe for VRM 3.x updates or contact us directly.

Partner with VRM Subscribe for VRM 3.x updates or reach out to co-design standardized exploitability tagging.