Summary
Implement a Risk-Based Prioritization Engine that calculates a composite risk score for each finding by combining severity, exploitability indicators, reachability, scanner confidence, and contextual signals, allowing users to focus on the vulnerabilities that pose the greatest real-world risk.
Motivation
Currently PatchPilot primarily prioritizes findings based on scanner-provided severity levels (Critical, High, Medium, Low).
However, two findings with the same severity may have vastly different real-world impacts:
- A reachable SQL Injection vulnerability exposed to users may be highly exploitable.
- A vulnerable package that is never imported may have significantly lower practical risk.
Security teams often struggle to decide which findings should be fixed first when hundreds of vulnerabilities are reported.
A risk-based prioritization system would help users focus remediation efforts where they provide the greatest security improvement.
Proposed solution
Introduce a scoring engine that computes a normalized risk score for each finding.
Example Inputs
Severity
Reachability
Exploitability indicators
Dependency depth
Scanner confidence
Secret exposure
Historical recurrence
Example Output
{
"finding_id": "F-102",
"severity": "High",
"risk_score": 92,
"risk_level": "Critical Priority"
}Priority Levels
90–100 Critical Priority
70–89 High Priority
40–69 Medium Priority
0–39 Low Priority
Backend
- Create risk scoring service.
- Aggregate contextual metadata from findings.
- Generate normalized risk scores.
- Expose scores through API responses.
Frontend
- Display risk score badges.
- Allow sorting by risk score.
- Highlight top-risk findings.
- Add risk distribution visualization.
Evidence Pack Integration
Include:
risk-prioritization-report.json
risk-score-summary.txt
in generated evidence packs.
ML tier (if applicable)
Alternatives considered
-
Use scanner severity alone.
- Rejected because severity does not always reflect real-world exploitability.
-
Manually prioritize findings.
- Rejected because it does not scale for large projects.
-
Static weighting rules only.
- Rejected because future versions may benefit from learned prioritization models.
Acceptance criteria
Additional context
This feature aligns with modern vulnerability management platforms that prioritize findings using contextual risk analysis rather than severity alone. It also provides a strong foundation for future exploit likelihood prediction and intelligent remediation workflows.
Summary
Implement a Risk-Based Prioritization Engine that calculates a composite risk score for each finding by combining severity, exploitability indicators, reachability, scanner confidence, and contextual signals, allowing users to focus on the vulnerabilities that pose the greatest real-world risk.
Motivation
Currently PatchPilot primarily prioritizes findings based on scanner-provided severity levels (Critical, High, Medium, Low).
However, two findings with the same severity may have vastly different real-world impacts:
Security teams often struggle to decide which findings should be fixed first when hundreds of vulnerabilities are reported.
A risk-based prioritization system would help users focus remediation efforts where they provide the greatest security improvement.
Proposed solution
Introduce a scoring engine that computes a normalized risk score for each finding.
Example Inputs
Example Output
{ "finding_id": "F-102", "severity": "High", "risk_score": 92, "risk_level": "Critical Priority" }Priority Levels
Backend
Frontend
Evidence Pack Integration
Include:
in generated evidence packs.
ML tier (if applicable)
Alternatives considered
Use scanner severity alone.
Manually prioritize findings.
Static weighting rules only.
Acceptance criteria
Additional context
This feature aligns with modern vulnerability management platforms that prioritize findings using contextual risk analysis rather than severity alone. It also provides a strong foundation for future exploit likelihood prediction and intelligent remediation workflows.