Rescore vulnerabilities in bulk or individually

You can rescore vulnerabilities globally for a product version or individually using Helm.

Why rescore vulnerabilities?

Rescoring vulnerabilities allows you to align CVSS 3.x scores with the specific needs of your product's environment and usage, ensuring your vulnerability management process is both efficient and effective, and that you stay focused on resolving the vulnerabilities that matter most to your company, patient safety and your bottom line.

Key reasons to rescore:

Unlike upgrading to a new version of applying a patch, rescoring does not require you to upload a new version of your SBOM.

  • Focus on most exploitable issues: Identify and address the most exploitable and impactful vulnerabilities based on its fixability, report confidence, and the impact it will have on your overall infrastructure.

  • Save time and minimize effort:

    • Automate exploitability and fixability updates, reducing manual tracking and human error. If there is any change to the metrics of Exploit Code Maturity, Remediation Level, and/or Report Confidence, your vulnerabilities will be automatically rescored based on this updated data.

    • Streamline your processes with scalable and repeatable custom rescores.

  • Maximize ROI:

    • Rescoring reduces repetitive manual assessment by weeks or even months, freeing engineers to focus on clinical innovation and reducing attrition.

    • Enables strategic risk mitigation, avoiding delays and improving product timelines.

  • Regulatory alignment: Meet FDA cybersecurity requirements by demonstrating proactive risk management tailored to your product's environment and usage. Ensure that you understand the impact of the recent regulatory changes included in the Patch Act, as well as the likelihood that the FDA will flag your submissions for connected devices due to cybersecurity deficits.

  • Increased accuracy: Tailored scoring ensures more precise prioritization and decision-making, avoiding the one-size-fits-all limitations of base CVSS scores, and the ever-evolving understanding of the flaws in the CVSS scoring system.

Rescore all vulnerabilities in a product version

You can rescore all CVSS 3.x vulnerabilities across a product version.

I haven't rescored the product version yet
  1. In the product/version selection bar, click the Rescore drop-down link > Rescore all vulnerabilities. This will display the Rescore panel.

  2. Specify a profile name and description.

  3. Click the Temporal score section to expand it. If you've used the CVSS 3.1 calculator before, our rescoring calculator should look very familiar!

  4. Select any Temporal metric values you'd like to apply across the product version.

  5. Click the Environmental score section to expand it.

  6. Select any Environmental metric value changes you'd like to apply across the product version.

  7. Click the Preview vulnerabilities tab to view a sample of five vulnerabilities to assess how the rescoring will impact them.

  8. Optional: In the Temporal section, toggle the Auto-update this vulnerability with exploitability changes switch. If you enable auto-update, the Temporal score metrics will become read-only, as they will be automatically updated based on exploitability changes. You can still individually rescore any vulnerability associated with this product, if desired. The last change made to a vulnerability — whether by a custom rescore global change or by an individual vulnerability rescore — will take precedence.

  9. On the Save & apply button, you'll see the number of vulnerabilities associated with this product version (Save & apply to x vulnerabilities). Click Save & apply x vulnerabilities. You'll see a success message and will also see a new Rescore column with the rescored CVSS value for each vulnerability.

I've already rescored this product version
  1. In the product/version selection bar, click the Rescore drop-down link > Edit rescore. This will display the Edit rescore profile panel.

  2. Click the Temporal score section to expand it. If you've used the CVSS 3.1 calculator before, our rescoring calculator should look very familiar!

  3. Select any Temporal metric values you'd like to apply across the product version.

  4. Click the Environmental score section to expand it.

  5. Select any Environmental metric value changes you'd like to apply across the product version.

  6. Click the Preview vulnerabilities tab to view a sample of five vulnerabilities to assess how the rescoring will impact them.

  7. Optional: In the Temporal section, toggle the Auto-update this vulnerability with exploitability changes switch. If you enable auto-update, the Temporal score metrics will become read-only, as they will be automatically updated based on exploitability changes. You can still individually rescore any vulnerability associated with this product, if desired. The last change made to a vulnerability — whether by a custom rescore global change or by an individual vulnerability rescore — will take precedence.

  8. On the Save & apply button, you'll see the number of vulnerabilities associated with this product version (Save & apply to x vulnerabilities). Click Save & apply to x vulnerabilities. You'll see a success message and will also see an updated score in the Rescore column for each vulnerability.

Rescore individual vulnerability

You can individually rescore any vulnerability. If you've already custom rescored a particular product version, this individual rescore will override the custom rescore for that vulnerability. The last change made to a vulnerability — whether by a custom rescore global change or by an individual vulnerability rescore — will take precedence.

  1. In the product/version selection bar of Vulnerabilities, you'll see a Rescore drop-down action link.

  2. Expand the Temporal score section, then modify the appropriate metric values.

  3. Expand the Environmental score section, then modify the appropriate metric values. You'll see the rescored value display in both the Temporal and Enviromental sections, as well as in the summary information below these sections.

  4. Assess how this rescoring will impact the CVSS score of this vulnerability. If you're satisfied with this rescoring, click Save & apply.

Last updated