Death by Critical CVE: Escaping the Flood of Score-Based Remediation
Courtney Burr
SAINTCON 2025 · Day 2 · Main Track 1
In the realm of cybersecurity, organizations are perpetually overwhelmed by an ever-increasing deluge of vulnerabilities, each demanding attention and remediation. Courtney Burr, a Senior Security Solutions Architect at Qualys, tackles this critical challenge in his SAINTCON presentation, "Death by Critical CVE: Escaping the Flood of Score-Based Remediation." Co-authored with Andrew Nelson, this talk critically examines the prevalent, yet often flawed, practice of prioritizing vulnerability remediation solely based on the **Common Vulnerability Scoring System (CVSS)**. Burr argues that while CVSS provides a technical severity score, it fails to adequately capture the true business risk and exploitability of a vulnerability, leading to misprioritization, wasted resources, and increased organizational exposure.