CVE management is a layered workflow for discovering, prioritizing, remediating, and verifying vulnerabilities. EPSS, CISA KEV, SSVC, and reachability analysis filter scanner noise into environment-specific action.
CVE management handles the scale created by the NVD's 361,501 CVE vulnerabilities, where raw severity scores alone can mark a large share of scored records as urgent.
TL;DR
High and Critical CVSS v3 records account for 107,039 of 192,850 scored NVD records. Teams that gate on CVSS alone inherit an oversized remediation queue. A CVE management program adds EPSS, CISA KEV, SSVC, and reachability, integrates CI/CD scanning, and measures remediation against severity-tiered SLAs using NIST, CISA, and FIRST guidance.
Why Scanner Reports Overwhelm Remediation Teams
An engineer opens a container scan report and finds 400 flagged CVEs on a single image. Most carry a CVSS score of 7.0 or higher, and the report gives no signal about which vulnerable code an attacker could reach. Organizations now face record CVE submissions, which raises the pressure on scanner triage and remediation planning.
That backlog comes from treating CVSS as a risk score. CVSS measures intrinsic severity, so teams need separate signals for exploitation likelihood and environmental risk.
This guide explains how the CVE system works, how teams layer prioritization signals, where scanning belongs in CI/CD, and how to measure outcomes.
The CVE management workflow in this guide follows five steps:
- Discover assets, packages, versions, and exposure.
- Triage findings with CVSS, EPSS, KEV, SSVC, and reachability.
- Select a risk response: accept, patch, compensate, or replace.
- Verify that remediation or controls work as intended.
- Integrate scanning and policy gates into CI/CD.
These steps turn scanner findings into prioritized, verified remediation work before new exposure reaches production. Augment Cosmos, the unified cloud agents platform, ships reference experts such as Deep Code Review, PR Author, E2E Testing, and Incident Response that map onto the triage, remediation, and verification stages, so teams can automate the mechanical parts of the workflow while keeping human judgment at the checkpoints that matter.
What Is a CVE and How Does the CVE System Work?
A CVE record gives one publicly disclosed vulnerability a shared identifier so security, engineering, vendor, and risk teams can coordinate remediation. The CVE program functions as a dictionary of vulnerabilities for specific code bases, with one CVE Record per vulnerability.
Patches, advisories, and grouped issue buckets use separate naming systems. IDs follow CVE-YYYY-NNNN, where the year field marks when the ID was reserved or published rather than the date of discovery.
Each CVE Record includes:
- CVE ID
- Description
- Affected products and versions
- References
- Record state: Reserved, Published, or Rejected
These fields give teams the shared identifier, scope, and reference context needed to coordinate remediation.
Program Governance: MITRE, CNAs, and the Federated Model
The CVE program began in 1999. MITRE maintains it, and the U.S. Department of Homeland Security and CISA sponsor it. Governance is federated: CNAs assign IDs, CNA-LRs cover vulnerabilities outside other scopes, Roots govern CNAs, and Top-Level Roots sit above Roots. The global CNA count is currently 526 CNAs (523 CNAs and 3 CNA-LRs) from 43 countries, including vendors, researchers, open-source projects, CERTs, and bug bounty providers.
MITRE and CNAs identify and catalog vulnerabilities. Remediation belongs to the consuming organization.
The NVD Enrichment Layer
NIST's National Vulnerability Database synchronizes with the CVE List and adds CVSS scoring, CPE configurations, CWE mappings, and APIs. As of mid-2026, the NVD contains 361,501 CVE vulnerabilities, including 30,413 Critical, 76,626 High, 82,587 Medium, and 3,224 Low under CVSS V3.
The CVE List serves as the source of record, and the NVD adds enrichment on top of it. That enrichment layer now operates under a prioritization policy that leaves many CVEs without NIST-assigned scores.
Why CVSS Alone Is Not Enough for Prioritization
CVSS measures severity, so CVSS-only remediation produces unmanageable queues. As of October 2023, FIRST's EPSS documentation indicates that a CVSS ≥7 threshold would flag 80,024 of 139,473 CVEs with CVSS 3.x scores, and the NVD dashboard snapshot above lists 30,413 Critical and 76,626 High CVSS V3 records.
Show CVSS scores with the vector string because the number alone omits context.
| Severity | CVSS v2.0 | CVSS v3.x | CVSS v4.0 |
|---|---|---|---|
| None | N/A | 0.0 | 0.0 |
| Low | 0.0-3.9 | 0.1-3.9 | 0.1-3.9 |
| Medium | 4.0-6.9 | 4.0-6.9 | 4.0-6.9 |
| High | 7.0-10.0 | 7.0-8.9 | 7.0-8.9 |
| Critical | N/A | 9.0-10.0 | 9.0-10.0 |
The NVD provides Base metrics only, so teams must apply Temporal, Threat, Environmental, and Supplemental adjustments themselves. CVSS v4.0 introduced a Threat metric group and scoring nomenclature such as CVSS-B, CVSS-BT, CVSS-BE, and CVSS-BTE.
Prioritization Frameworks Beyond CVSS
Layered CVE prioritization combines CVSS severity, EPSS exploitation probability, KEV confirmation, SSVC action decisions, and reachability exposure. The workflow moves from intrinsic severity to exploitation evidence, stakeholder-specific action, and environment-specific exposure so remediation queues reflect technical severity alongside environmental context.
| Framework | Question Answered |
|---|---|
| CVSS | How severe are the intrinsic technical characteristics? |
| EPSS | How likely is exploitation in the next 30 days? |
| KEV | Is this actively exploited right now? |
| SSVC | What action does this organization need to take? |
| Reachability | Is the vulnerable code invoked in this environment? |
EPSS: Exploitation Probability
The Exploit Prediction Scoring System is a FIRST machine-learning model that estimates the probability a CVE will be exploited in the wild within 30 days. It returns a probability score and percentile, refreshes daily, and uses signals such as exploit code, references, chatter, vendor attributes, weakness category, and accessibility. FIRST introduced EPSS v4 on March 17, 2025.
EPSS covers the threat component of Risk = Threat × Vulnerability × Impact. It works best as one prioritization layer.
CISA KEV: Confirmed Exploitation
The Known Exploited Vulnerabilities catalog lists CVEs with reliable evidence of exploitation, an assigned CVE ID, and clear remediation guidance. Federal agencies must remediate KEV entries within prescribed timeframes. BOD 26-04 replaces the older flat 14-day KEV window with a risk-tiered model based on four factors: public exposure, KEV listing, automatability, and whether the flaw grants full or partial system control. The shortest 3-day remediation tier applies only when all four factors are present at once, with forensic triage required before patching.
KEV confirms exploitation after evidence appears. Some KEV entries have low EPSS scores because attack requirements are complex, which reinforces the need for layering.
SSVC: Stakeholder-Specific Action
Stakeholder-Specific Vulnerability Categorization is a Carnegie Mellon SEI and CISA decision-tree model based on exploitation status, technical impact, automatability, mission prevalence, and public well-being impact. It produces Track, Track*, Attend, or Act decisions. CISA recommends using SSVC with KEV.
The Payoff of Layering
Layered prioritization combines KEV and EPSS so remediation queues capture exploited CVEs that a single signal can miss. KEV and EPSS together identify 48 exploited vulnerabilities that neither method captures alone. That same layering now appears in commercial workflows; GitLab added native support in GitLab 17.9 for EPSS, KEV, and CVSS data in Vulnerability Report pages.
The End-to-End CVE Management Workflow
An end-to-end CVE management workflow assigns owners and exit criteria across discovery, triage, risk response, verification, and CI/CD integration. Each stage needs an owner and exit criterion so scanner findings can move from detection to validated remediation, with verification failures or CI/CD gates sending findings back to earlier stages when required.
Stage 1: Discovery and Inventory
Discovery and inventory establish the patchable software baseline by mapping assets, versions, and exposure. That baseline gives remediation teams the evidence needed to prioritize scan results. NIST patch management defines enterprise patch management as identifying, prioritizing, acquiring, installing, and verifying patches. The prerequisite is current inventory of patchable software and versions on each host. CISA recommends at least weekly scanning for internet-accessible systems.
Stage 2: Triage and Prioritization
Triage and prioritization convert vulnerability discoveries into coordinated remediation plans by categorizing findings, assessing initial risk, and assigning stakeholder actions. Per the CISA resource guide, vulnerability management teams typically discover vulnerabilities and coordinate with stakeholders for prioritization and risk teams for planning, while remediation execution sits with system owners. The CSIRT Services Framework defines vulnerability triage as categorizing, prioritizing, and performing initial assessment.
The Context Engine can speed up this stage by tracing cross-file dependencies and data flow patterns across 400,000+ files, so triage teams can check whether application code actually invokes a flagged function or only lists the vulnerable component in a manifest.
Stage 3: Risk Response and Remediation SLAs
NIST SP 800-40 Rev. 4 gives teams four response paths: document risk acceptance, apply a patch, deploy compensating controls, or replace legacy assets. Legacy BOD 19-02 set flat 15-day (critical) and 30-day (high) remediation windows for internet-accessible federal systems, and many enterprise programs still use those numbers as a baseline. For federal agencies, BOD 26-04 supersedes BOD 19-02 as of June 10, 2026 with the risk-tiered model described earlier. Enterprise programs typically tier those SLAs against asset criticality:
| Severity | Tier 1 Critical Assets | Tier 2 Important | Tier 3 Standard |
|---|---|---|---|
| Critical | 24-48 hours | 72 hours | 7 days |
| High | 7 days | 14 days | 30 days |
| Medium | 30 days | 45 days | 60 days |
| Low | 90 days | 90 days | 90 days |
| CISA KEV Listed | 24 hours | 48 hours | 7 days |
Tighter windows apply to active exploitation, internet-facing systems, PHI or payment data, and missing compensating controls. For systems teams cannot patch safely, document segmentation, WAF rules, and monitoring as risk exceptions with review periods.
Stage 4: Verification
Verification confirms that remediation completed successfully. For patching, verify installation and effect. For compensating controls, verify intended function. For risk avoidance, verify decommissioning or replacement of vulnerable devices.
Stage 5: CI/CD and Developer Workflow Integration
CI/CD vulnerability integration places pipeline scanning, container checks, and automated policy gates inside developer and release workflows. These checks identify vulnerable dependencies and OS-layer packages before production and monitor exposure after deployment. FedRAMP's RFC-0012 calls for vulnerability management integration with CI/CD and container scanning. NIST SP 1800-31 describes automation for vulnerability response.
Teams should keep policy gates close to the developer workflow. That includes wiring vulnerability checks into CI/CD integrations and coordinating lockfile changes through version control integrations. Cosmos experts fit here as well: the PR Author expert can open a merge-ready patch bump on a KEV-listed CVE, and the Deep Code Review expert can run recall-focused review on that patch before a human approves it.
CVE Scanning Tools and How They Detect Vulnerabilities
Enterprise CVE scanners differ by detection target and data source. Scanner coverage varies by package type and vulnerability database because each scanner matches package inventory against different advisory sources. The three main categories map to distinct parts of the attack surface:
| Category | Representative Tools | Primary Detection Target |
|---|---|---|
| Container/Image | Trivy, Grype+Syft, Clair | OS and language packages in images |
| SCA | Snyk, Dependabot, OWASP Dependency-Check | Manifests and lockfiles |
| Network/Agent-Based | Tenable Nessus, Qualys VMDR | Services and host inventory |
Scanner selection should also account for advisory source diversity. OS package detection typically relies on vendor advisories, while language package detection relies on the GitLab and GitHub advisory databases. Matching package inventory, host exposure, and advisory data from multiple sources improves coverage across the categories above.
Trivy OS detection uses vendor advisories for OS package vulnerabilities and GitLab and GitHub advisory databases for language packages. Syft inventories container images, and Grype analyzes that inventory using advisory sources such as GitHub Advisory Database, NVD, and Alpine SecDB. Running Grype and Trivy together broadens scanner source diversity for container images by comparing package inventory against multiple advisory databases when OS and language package feeds differ.
Snyk provides fix suggestions. Dependabot uses the GitHub Advisory Database and opens version-bump PRs. OWASP Dependency-Check detects vulnerabilities by mapping dependencies to CPE identifiers and cross-referencing NIST CVE data. Clair layer scanning checks each container layer against Red Hat, Ubuntu, and Debian databases.
Integrating CVE Scanning Into CI/CD Pipelines
CI/CD scan integration combines IDE, PR, filesystem, image, registry, and runtime checks. IDE, pre-commit, PR, and filesystem scans identify vulnerable dependencies before production. Image, registry, and runtime scans catch OS-layer, registry, and runtime exposure.
| Stage | Scan Type | Purpose |
|---|---|---|
| IDE / pre-commit | Snyk CLI, IDE plugins | Catch issues before commit |
| PR / dependency review | GitHub dependency-review-action | Block vulnerable new dependencies |
| Filesystem | trivy fs | Scan repository before packaging |
| Image | Trivy, Grype | Catch OS and language package CVEs |
| Registry | Clair, Sysdig | Gate images before runtime |
| Runtime | Runtime agent | Monitor deployed systems |
The OWASP CI/CD guidance recommends SAST, DAST, IaC scanning, and manual approval before production deployment.
Gating Policy: How to Fail Builds Without Blocking Everything
The gating pattern separates informational findings from blocking ones. Report low and medium findings without failing the build; reserve later-stage gate failures for high or critical findings. Automated quality gate platforms should reflect the same severity and environment boundaries, tightening severity thresholds as code moves closer to production:
| Environment | Severity Gate | ignore-unfixed | Timeout |
|---|---|---|---|
| Dev | CRITICAL | true | 5m |
| Staging | CRITICAL, HIGH | false | 10m |
| Production | CRITICAL, HIGH, MEDIUM | false | 15m |
Snyk gates via --severity-threshold=low|medium|high|critical. GitLab pipeline policies can inject scanning jobs, fail builds above risk tolerance, and require security review for vulnerable merge requests or dependency lockfile changes. Trivy and Grype can output SARIF to the GitHub Security tab.
Managing Noise
Pipeline noise management uses prioritization, reachability analysis, --ignore-unfixed, and allowlisting through .trivyignore or allowedlist.yaml to narrow remediation queues before every scanner finding reaches a human reviewer.
Managing False Positives With VEX and Reachability
False positive management uses VEX and reachability analysis to separate vulnerable component presence from exploitable exposure. Scanners flag vulnerabilities in a component even when vulnerable code is absent or unreachable. Security teams face more than 40,000 new CVEs annually, while Tenable cites roughly 3% as ever exploited.
VEX: Attesting Exploitability
VEX is a machine-readable advisory format for exploitability status in a specific product configuration. It carries Not Affected, Affected, Fixed, and Under Investigation statuses.
The OpenSSF VEX report, covering major vendors and distributions, describes VEX adoption as inconsistent and uncertain across the reviewed environment. Because formats serve different workflows, teams should treat CSAF as a production-oriented format and CycloneDX VEX as a DevSecOps format.
Reachability Analysis
Reachability analysis traces vulnerable functions through dependency and call graphs. It reduces non-actionable SCA findings by distinguishing component presence from code paths that application execution can invoke. The Context Engine performs the same kind of trace across a full repository, so a Cosmos session investigating a flagged CVE can report back on whether the vulnerable call site is reachable from an entry point.
Reachability has failure modes: inaccurate vulnerable-method identification, poor version scoping, and incorrect non-vulnerable tagging. Reachability belongs beside SCA as an added prioritization layer.
The Combined Triage Workflow
Risk-Based Vulnerability Management uses business risk instead of alert volume. A triage sequence combines severity, exploitation likelihood, confirmed exploitation, business impact, and reachability exposure. SIEM or SOAR consolidation groups related alarms after those filters narrow the queue.
The combined triage sequence narrows scanner findings in this order:
- Use CVSS severity as the initial floor.
- Add EPSS likelihood to estimate exploitation probability.
- Escalate CISA KEV entries because exploitation is confirmed.
- Apply business impact to reflect asset and data sensitivity.
- Use reachability exposure to distinguish invoked code paths from component presence.
The New Code Review Workflow for AI-Native Engineering Teams
See how leading teams keep code review fast and rigorous as AI writes more of the code.
The State of the CVE Environment in 2025-2026
The 2025-2026 CVE environment requires multi-source vulnerability intelligence. Submission growth, NVD enrichment changes, funding uncertainty, and alternative databases can leave a single source incomplete for CVSS, CPE, CWE, or remediation decisions. Toolchains need multiple vulnerability databases because April 2026 NVD prioritization can leave lower-priority CVEs without NIST-assigned CVSS, CPE, or CWE enrichment, which reduces scanner match quality for affected records.
Multi-source vulnerability intelligence should combine:
- CVE List records for the source-of-record identifier.
- NVD enrichment for CVSS scoring, CPE configurations, CWE mappings, and APIs when available.
- CISA KEV and CISA Vulnrichment for exploitation and enrichment signals.
- GitHub Advisory Database and vendor advisories for scanner source diversity.
- EUVD as a supplementary vulnerability database.
Together, these sources reduce dependence on any single enrichment feed.
The NVD Enrichment Backlog
Record growth led NIST to apply new prioritization criteria. As a result, the NVD enrichment backlog leaves lower-priority CVEs without NIST-assigned CVSS, CPE, or CWE data. CVE submission growth increased 263% between 2020 and 2025, and Q1 2026 submissions were nearly one-third higher than the prior year. As of April 15, 2026, NIST categorizes CVEs that do not meet new prioritization criteria as Lowest Priority or Not Scheduled. NIST excludes KEV entries from deferral.
Many CVEs will lack NIST-assigned CVSS scores, CPE configurations, and CWE mappings. A record without NIST assessment shows the deferral pattern in practice, while a CNA-scored entry carries a CNA-assigned CVSS of 9.9 but no NIST enrichment.
The MITRE Funding Scare and the CVE Foundation
CVE governance resilience became an operational concern in 2025 because funding uncertainty exposed dependence on a single government sponsor. CVE Board members responded by launching the CVE Foundation. On April 15, 2025, MITRE VP Yosry Barsoum warned in a letter that CVE Program funding would expire on April 16, 2025. CISA executed the contract option overnight, and Acting Executive Assistant Director Matt Hartman said in a public statement that the issue was a resolved contract administration matter. On April 16, 2025, CVE Board members launched the CVE Foundation, a nonprofit seeking independence from any single government sponsor.
Alternative and Supplementary Databases
Supplementary vulnerability databases add EUVD, GitHub Advisory Database, CISA Vulnrichment, and vendor identifiers to scanner inputs. These sources give teams additional prioritization data when NVD or CVE.org data is incomplete. ENISA's European Vulnerability Database launched May 13, 2025 under the NIS2 Directive. The GitHub Advisory Database publishes CVEs independently, and CISA operates a Vulnrichment program for supplemental enrichment.
How SBOMs Support CVE Management
An SBOM is a nested inventory of software components. Paired with VEX, it separates vulnerable presence from exploitable exposure. US Executive Order 14028 directed NTIA to define minimum SBOM elements for vulnerability, inventory, and license management, while NIST describes SBOMs as complementary to vulnerability management.
The SPDX Security Profile supports EPSS scores, CVSS scores, SSVC, and VEX status justifications. OWASP maintains CycloneDX, which is focused on application security. The two formats overlap in purpose but diverge in scope and governance:
| Feature | CycloneDX | SPDX |
|---|---|---|
| Primary purpose | Application security | License and supply chain transparency |
| Maintained by | OWASP Foundation | Linux Foundation |
| Typical use | Security scanning | Legal and open-source compliance |
| VEX relationship | CycloneDX VEX is a DevSecOps path | SPDX Security Profile supports VEX status justifications |
| Security data coverage | Focused on application security | Supports EPSS scores, CVSS scores, SSVC, and VEX status justifications |
CycloneDX recommends decoupling VEX from SBOM because VEX changes dynamically while SBOM inventory changes less often. SPDX describes a separate, linked VEX document that references a static SBOM.
Measuring and Reporting Program Effectiveness
Vulnerability management metrics should show remediation speed, asset coverage, and risk reduction. NIST risk KPIs explicitly list Mean-Time-to-Patch in days and SLA achievement percentage as enterprise risk KPIs.
Program reporting should align vulnerability metrics with code quality metrics so remediation speed does not hide quality regressions. Severity-specific reporting separates critical, high, medium, and low MTTR and SLA compliance so aggregate mean MTTR does not hide poor prioritization. The core reporting metrics fall into speed, coverage, and exposure categories:
| Metric | What It Shows |
|---|---|
| MTTR by severity | Remediation speed for critical, high, medium, and low findings |
| MTTD | Detection speed |
| Average vulnerability age | How long findings remain open |
| SLA compliance | Whether remediation meets severity-tiered targets |
| Asset coverage | Whether scanning reaches the expected inventory |
| Backlog trend | Whether unresolved findings are increasing or decreasing |
| Remediation velocity | How quickly teams close findings |
| Accepted risk | Which findings remain open by documented decision |
| Percentage with known exploits | How much backlog has exploitation evidence |
AI and Automation in CVE Management
AI-assisted CVE triage and remediation can produce a 5-10x task speed-up for multi-file remediation planning, according to vendor-reported figures from Augment Code. Tools need semantic dependency graph analysis to tie suggested changes to code paths. Fix quality and hallucination risks still require human review at approval and exception checkpoints. A FIRST 2026 forecast notes a large increase in reported disclosures driven by AI bug-hunting tools and CNA expansion, while actionable exploitability remains flat.
NVIDIA Agent Morpheus combines RAG and AI agents to assess exploitability, generate checklists, and summarize analyst work. NVIDIA reports a 9.3x speedup for that workflow. The CSA remediation model recommends exploitability-based prioritization with KEV, active exploitation evidence, and contextual reachability.
Attackers actively exploit package hallucination by publishing malicious packages under commonly hallucinated library names. AI-assisted remediation needs security integrations that constrain generated changes before they reach production branches.
Mitigations for AI-assisted remediation include:
- RAG
- Static analysis integration
- Limited rollout to outdated libraries and known-safe dependency updates
- Escalation criteria
- CI/CD controls
The Context Engine reports a 40% reduction in hallucinations through Prism model routing that picks the right model per task. On top of that, Cosmos runs those routed agents inside governed environments with tenant memory, human-in-the-loop policies, and auditable sessions, so remediation workflows can pair routing with RAG, static analysis, escalation criteria, and CI/CD controls to constrain generated changes before they hit a production branch.
Start Layering Your Prioritization Before Your Next Scan Cycle
The main tension in CVE management comes from the gap between the volume scanners flag and the smaller fraction that threatens the environment. CVSS can mark large portions of scored records as urgent, and the April 2026 NVD enrichment change means database-sourced scores will become less complete.
Apply prioritization this sprint, then wire severity-tiered gating into CI/CD so unfiltered noise never reaches a human queue.
FAQs
Related Reading
Written by

Ani Galstian
Ani writes about enterprise-scale AI coding tool evaluation, agentic development security, and the operational patterns that make AI agents reliable in production. His guides cover topics like AGENTS.md context files, spec-as-source-of-truth workflows, and how engineering teams should assess AI coding tools across dimensions like auditability and security compliance