[REVIEW] patch-prioritization: add exploit-chain blast-radius grouping gates

[malb200710-dev]

Review target

skills/vuln-management/patch-prioritization

Gap

The patch prioritization skill prioritizes individual findings using SSVC, EPSS, KEV, SLA tiers, compensating controls, and patch windows. It does not require grouping findings that form an exploit chain or share a blast-radius boundary. As a result, several moderate/high findings may remain under-prioritized even when they combine into a critical path.

Why this matters

Patch backlogs are often exploited as chains rather than single CVEs:

• one vulnerability gives initial access while another gives privilege escalation;
• identity-plane findings combine with app or CI/CD findings;
• many findings share one base image, AMI, Kubernetes cluster, network tier, or service account;
• patching one shared component can close many findings;
• leaving one missing patch can keep the exploit chain viable;
• CVEs scored separately can hide a larger blast radius across users, assets, or data stores.

Proposed evidence gates

Add exploit-chain/blast-radius grouping for:

• exploit chain role;
• shared asset group/control boundary;
• chaining prerequisites;
• blast radius;
• tier adjustment when combined risk exceeds individual CVE priority;
• patch grouping/coordinated change plan;
• output table for Exploit Chain Patch Groups.

Bounty request

Reviewer tier ($25) if this review is accepted. I can provide payment details if accepted.

[malb200710-dev]

Implemented this review as PR #2242: #2242

Scope: exploit-chain role, shared boundary, prerequisites, blast radius, tier adjustment, and patch grouping evidence for patch prioritization.

[JamesJi79]

/attempt #2241

I will submit a VALID GAP analysis for this review.

[JamesJi79]

VALID GAP - exploit-chain blast-radius grouping for patch-prioritization

Why Valid (FP confirmed)

The skill prioritizes individual CVEs using SSVC, EPSS, KEV, SLA tiers, compensating controls, and patch windows - all sound approaches for single-finding ranking. However, real-world attacks rarely exploit a single CVE in isolation. CVEs are often chained together (initial access -> privilege escalation -> lateral movement -> data exfiltration), and their combined risk far exceeds any individual CVSS score. A finding ranked "moderate" on its own may be the critical enabler for a "high" to become a catastrophic exploit. Without chain-aware grouping, the skill produces a patch queue that looks defensible on paper but leaves door-to-door exploitation paths unpatched. This FP confirms that the current skill correctly scores individual findings but lacks the blast-radius coordination that real incident response demands.

Coverage Gaps

Gap 1 - Exploit chain role assignment - The skill does not assign an exploit-chain role (entry, pivot, privilege-escalation, persistence, exfiltration) to each finding. Without role tagging, two moderate findings that form a complete attack path remain independently low-priority and never trigger coordinated patch action. Need gate: Add an exploit_chain_role field with automatic annotation from ATT&CK technique mapping.

Gap 2 - Shared asset/control-boundary grouping - Many findings share the same base image, Kubernetes cluster, network tier, service account, or identity provider. Patching one shared component (e.g., updating a base AMI) can close dozens of findings. The current skill treats each finding independently, missing the opportunity for batch-patch grouping. Need gate: Require grouping findings that reference the same shared asset_group_id, control_boundary, or base_image_ref, and produce a coordinated-patch plan.

Gap 3 - Blast-radius tier escalation - When two or more findings combine into a single exploit chain or share a blast-radius boundary (e.g., both affect the same user-data store or critical asset), their individual EPSS and SSVC scores should be combined into a chain_priority_score that can escalate one or more findings to a higher priority tier. The current skill has no mechanism for combined-risk escalation. Need gate: Define a chain_priority_score = max(individual_scores) + sum(normalized_chain_severity) and auto-escalate any finding whose combined score crosses the SLA tier boundary.

Suggested Gates

1. VULN-PP-01: Exploit chain role annotation - Each finding must be annotated with an exploit_chain_role (entry/pivot/priv-esc/exfil/isolated) derived from CWE chain pattern matching. Evidence: role-annotated patch queue with at least one exploit chain spanning >=2 findings.

2. VULN-PP-02: Shared-asset patch-group output - The skill must output one or more PatchGroup tables that group findings by shared asset_group_id, base_image_ref, cluster_id, or control_boundary. Evidence: patch-group table with >=2 grouped findings and a coordinated-patch plan for each group.

3. VULN-PP-03: Blast-radius combined-risk escalation - The skill must detect when two or more findings share a blast-radius boundary (same target asset group, user store, or network tier) and escalate the combined priority if chain_priority_score crosses the SSVC responder threshold. Evidence: sample output showing a finding that was escalated from moderate to high based on chain risk.