Review target
skills/vuln-management/cve-triage
Gap
The current CVE triage skill allows compensating controls to justify de-escalation, but it does not require evidence that the control blocks the specific exploit path for the affected deployment. This can lower remediation SLAs based on generic mitigations such as "WAF present", "segmented network", or "EDR installed" without proving that the mitigation covers the CVE prerequisite, affected assets, and bypass paths.
Why this matters
CVE triage decisions often depend on whether a control truly changes risk:
- a WAF rule may not cover alternate endpoints, authenticated paths, JSON/XML payloads, or internal traffic;
- segmentation may block internet access but not lateral/internal exploit paths;
- EDR may detect post-exploitation behavior but not prevent initial exploitation;
- a feature flag may disable one vulnerable code path while batch/offline processing still uses the vulnerable component;
- controls may cover only a subset of containers, hosts, package instances, regions, or IPv6 paths;
- temporary mitigations can expire or be rolled back without changing the CVE SLA decision.
Proposed evidence gates
Add a compensating-control verification step requiring:
- control-to-vector mapping against CVSS/SSVC exploit path;
- exploit prerequisite coverage;
- runtime/fleet scope coverage;
- effectiveness evidence such as WAF hits, deny logs, EDR telemetry, service mesh decisions, feature flag/config state, or safe negative test;
- bypass review;
- owner, expiry/review date, monitoring, and rollback criteria;
- explicit rule that unverified or partial mitigations must not reduce the SLA.
Suggested severity
This is a triage correctness gap. It should prevent false de-escalation for otherwise Immediate or Out-of-Cycle CVEs.
Bounty request
Reviewer tier ($25) if this review is accepted. I can provide payment details if accepted.
Review target
skills/vuln-management/cve-triageGap
The current CVE triage skill allows compensating controls to justify de-escalation, but it does not require evidence that the control blocks the specific exploit path for the affected deployment. This can lower remediation SLAs based on generic mitigations such as "WAF present", "segmented network", or "EDR installed" without proving that the mitigation covers the CVE prerequisite, affected assets, and bypass paths.
Why this matters
CVE triage decisions often depend on whether a control truly changes risk:
Proposed evidence gates
Add a compensating-control verification step requiring:
Suggested severity
This is a triage correctness gap. It should prevent false de-escalation for otherwise Immediate or Out-of-Cycle CVEs.
Bounty request
Reviewer tier ($25) if this review is accepted. I can provide payment details if accepted.