What is a CVE and how are they scored?
A CVE (Common Vulnerabilities and Exposures) is a publicly disclosed security vulnerability in a software component identified by a unique CVE ID (e.g., CVE-2021-44228 is the Log4Shell vulnerability). Each CVE is scored using CVSS (Common Vulnerability Scoring System) v3.1 a 0-10 scale: Critical (9.0-10.0), High (7.0-8.9), Medium (4.0-6.9), Low (0.1-3.9). The score is calculated from: Attack Vector (Network/Adjacent/Local/Physical), Attack Complexity (Low/High), Privileges Required (None/Low/High), User Interaction (None/Required), and impact on Confidentiality, Integrity, and Availability (None/Low/High). The CVSS base score measures severity in isolation a Critical-score CVE on a development system with no network access is less urgent than a Medium-score CVE on an internet-facing authentication endpoint. ClickMasters adds business context to CVSS scores asset criticality, exploitability, and reachability to produce a prioritised remediation list rather than a raw CVSS ranking.
How many vulnerabilities does a typical assessment find?
The number of findings varies widely based on the organisation's security maturity. A first-time vulnerability assessment of a typical B2B SaaS product typically finds: 0-5 Critical findings (serious misconfigurations or unpatched critical CVEs the immediate-action list), 5-20 High findings (significant vulnerabilities requiring prompt remediation), 20-50 Medium findings (important but less urgent typically scheduled for the next release cycle), and 50-200+ Low findings (informational good practices not followed, minor configuration improvements). The goal is not zero findings every system has some vulnerabilities. The goal is: no Critical findings, High findings remediated within 30 days, and a systematic process for managing Medium and Low findings over time. ClickMasters' report prioritises findings by risk rather than raw count a client with 3 Critical findings needs to fix 3 things urgently; a client with 150 Low findings has a well-maintained security posture.
What is reachability analysis and why does it matter for dependency vulnerabilities?
Reachability analysis determines whether the vulnerable code path in a third-party library is actually called by the application distinguishing between 'this library has a CVE' and 'this application uses the vulnerable function in this library'. Example: a CVE in a logging library's XML parsing functionality is Critical (CVSS 9.8). But if the application only uses the library for console output and never calls the XML parsing function, the CVE is not reachable the application is not vulnerable. Without reachability analysis, a standard dependency scan of a modern Node.js or Python application can produce hundreds of CVEs most of which are in code paths the application never uses. Snyk and GitHub's Dependabot implement reachability analysis for Node.js applications significantly reducing the number of findings that require immediate action. ClickMasters uses reachability analysis in all dependency audits to produce an actionable prioritised list.
How do you prioritise which vulnerabilities to fix first?
Vulnerability prioritisation uses a risk-based framework rather than raw CVSS score. The prioritisation factors: Exploitability in the wild (is this CVE being actively exploited? CISA KEV Known Exploited Vulnerabilities catalogue lists CVEs with confirmed exploitation; these are the highest priority regardless of CVSS score), Public exploit availability (is a working exploit available in Metasploit or Exploit-DB? reduces the attacker skill required to exploit), Asset criticality (a Critical CVE on a development server is less urgent than a High CVE on the production authentication service), Reachability (is the vulnerable code path actually invoked by the application?), and Remediation effort (a trivial patch that takes 10 minutes is done immediately; a breaking major version upgrade requiring 2 weeks of work is planned and scheduled). ClickMasters delivers a prioritised remediation plan P1 (fix within 24 hours), P2 (fix within 7 days), P3 (fix within 30 days), P4 (fix within 90 days) based on this framework.
