Most people read a CVE by glancing at the CVSS score and reacting to the color. A 9.8 goes red, panic ensues; a 5.4 goes yellow, it waits for the next maintenance window. That instinct is backwards often enough to be dangerous. CVSS is a severity model, not a risk model — it tells you how bad the bug is in the abstract, not whether it can hurt you. Here is the order I actually walk an advisory in.
1. Does it touch something I run — and how?
Before anything else: is the affected component in my environment, and is it reachable? A critical RCE in an admin panel bound to 127.0.0.1 behind a VPN is a very different problem from the same bug on an internet-facing login page. Exposure and reachability reshape the score more than any base metric.
2. Read the vector string, not the number
The CVSS vector is where the truth lives. I care most about three letters:
- AV (Attack Vector) — Network vs. Local is the difference between "patch tonight" and "patch this sprint."
- PR (Privileges Required) — a bug needing existing admin rights is often a footnote; one needing none is an emergency.
- UI (User Interaction) — "None" means it can be weaponized in an automated sweep.
An unauthenticated, network, no-interaction bug on exposed software is the profile that ends up in a botnet within days, whatever the headline number says.
3. Is it actually being exploited?
Check CISA's Known Exploited Vulnerabilities catalog and your threat feeds. A mid-scored bug with a public exploit and active scanning outranks a "critical" with no known exploit and a hard-to-reach precondition. Real-world exploitation is the signal that turns theory into a queue-jumper.
Patch by exploitability and exposure, not by color. The scoreboard is a starting point, never the verdict.
4. What's the compensating control?
Sometimes the fastest safe move isn't the vendor patch. A WAF rule, a network ACL, disabling a feature, or rotating a credential can neutralize the exploit path while you schedule the real fix properly. Write down the compensating control so it isn't forgotten the moment the panic fades.
None of this replaces patching — it prioritizes it. The goal is to spend your limited attention on the handful of advisories that can actually reach and harm your systems, and to stop treating a number as a decision.
