A Risk-Based Prioritization Taxonomy for prioritizing CVEs (Common Vulnerabilities and Exposures).

A Risk Remediation Taxonomy is defined here to support Risk Based Prioritization of CVEs:

• the constituent components of risk and remediation for a CVE
• the associated data sources for these components

A Risk-based Decision Tree is defined with

• inputs for the Decision Tree Decision Nodes
• output Decisions

The Risk Remediation Taxonomy and Decision Tree are part of a conference presentation by Yahoo Chris Madden: https://www.bsidesdub.ie/ May 27 2023.

• See the slide deck and the recording.

Diagram Source: RiskRemediation_top.puml

Diagram Source: RiskRemediation.puml

The inputs for the Decision Tree Decision Nodes - and associated data sources from Risk Remediation Taxonomy.

Diagram Source: DT_decisions.puml

The Decision Tree with output Decisions

Diagram Source: DT_Full.puml.

Please refer to the Contributing.md file for information about how to get involved. We welcome issues, questions, and pull requests.

The diagram(s) are written in the wonderful Plantuml.

• See https://plantuml.com/running for the many ways to render Plantuml. e.g.

  plantuml *.puml -o ./images
  

• or type

  make
  

This project is licensed under the terms of the Apache 2.0 open source license. Please refer to LICENSE for the full terms.