🚧 DevGuard & this page is under active development. Visit the DevGuard Repo →
ExplanationsCore ConceptsRisk Calculation

Risk Scoring

DevGuard calculates risk scores for every vulnerability using a multi-dimensional formula that goes beyond simple CVSS severity ratings. This enables accurate prioritization based on actual threat to your applications, not just theoretical vulnerability severity.

Why Risk Scoring Matters

Not all “High” severity vulnerabilities pose equal risk. A critical CVE in a deep transitive dependency with no known exploits presents far less danger than a moderate severity vulnerability in a direct dependency actively exploited in the wild. DevGuard’s risk scoring combines multiple factors to answer: Which vulnerabilities actually threaten your applications?

The Risk Formula

DevGuard uses a comprehensive formula balancing four critical dimensions:

Risk = ((CVSS-BE Ă— (EPSS + 1)) / 2) / Component Depth

CVSS-BE: Technical severity adjusted for your organizational context (Confidentiality, Integrity, Availability requirements)

EPSS: Exploit Prediction Scoring—probability the vulnerability will be exploited within 30 days based on threat intelligence

Component Depth: Position in your dependency tree—deeper dependencies are less exploitable than direct ones

đź“Š

This formula ensures high-risk scores reflect genuine threats combining technical severity, exploit probability, organizational impact, and attack surface—not just CVSS numbers.

Example Comparison

Vulnerability A:

  • CVSS: 9.8 (Critical)
  • EPSS: 0.5% (very low exploitation probability)
  • Depth: 5 (deep transitive dependency)
  • DevGuard Risk: 2.1 (Low-Medium)

Vulnerability B:

  • CVSS: 7.5 (High)
  • EPSS: 78% (actively exploited)
  • Depth: 1 (direct dependency)
  • DevGuard Risk: 6.7 (High)

Despite lower CVSS, Vulnerability B receives higher priority—it’s actively exploited and directly reachable in your codebase.

Dynamic Risk Updates

Risk scores recalculate multiple times daily as threat intelligence evolves:

New exploits published: EPSS increases, risk score rises
Patches released: Risk urgency changes
Dependency updates: Component depth shifts
Security requirements changed: Environmental context adjusts scores

DevGuard automatically notifies you when risk scores change significantly, ensuring priorities stay current with the threat landscape.

🔄

For complete details on the risk calculation methodology, vulnerability dimensions, and best practices, see the Vulnerability Risk Assessment Methodology documentation.

Related Documentation

Dependency vs. First-PartyOpen Standards