fix(vm-priority): add vm priority docs

src/content/docs/vulnerability-management/understanding-prioritization.mdx

@@ -0,0 +1,118 @@
+---
+title: Understanding vulnerability prioritization
+metaDescription: Use Vulnerability Management to overcome blindspots and assign remediation to developers as a security team.
+freshnessValidatedDate: never
+---
+
+import vmPriority from 'images/vuln-priority-security.webp'
+
+This document covers: 
+    - Where to find priority ranks in Vulnerability Management
+    - What data factors into the priority ranks of vulnerabilities
+
+## Viewing priority rank in Vulnerability Management
+
+<img
+  title="Vulnerability Management prioritization"
+  alt="An image showing the vulnerabilities prioritization on the Vulnerability Management vulnerability list page."
+  src={vmPriority}
+/>
+
+<figcaption>
+  <DoNotTranslate>**[one.newrelic.com > All capabilities](https://one.newrelic.com/all-capabilities) > Vulnerability Management > (select vulnerabilities tab)**</DoNotTranslate>
+</figcaption>
+
+The priority ranking is based on all known data about a vulnerability. The “reason to prioritize” column is a summary and weighting of key CVSS (Common Vulnerability Scoring System), EPSS ( Exploit Prediction Scoring System), IAST confirmed findings, and known active ransomware data. 
+
+## Data influencing priority rank
+
+<CollapserGroup>
+    <Collapser
+        className="freq-link"
+        id="severity"
+        title="Severity data"
+    >
+        Severity is based on the vulnerability’s CVSS score. An open industry standard, CVSS uses a formula of several access and impact metrics to calculate the severity of the vulnerability.
+
+        This table shows the tags we’ve assigned corresponding to CVSS scores.
+        <table>
+            <thead>
+                <tr>
+                <th>Severity</th>
+                <th>CVSS range</th>
+                </tr>
+            </thead>
+            <tbody>
+            <tr>
+            <td>Critical</td>
+            <td>9.0 - 10.0</td>
+            </tr>
+            <tr>
+            <td>High</td>
+            <td>7.0 - 8.9</td>
+            </tr>
+            <tr>
+            <td>Medium</td>
+            <td>4.0 - 6.9</td>
+            </tr>
+            <tr>
+            <td>Low</td>
+            <td>0.1 - 3.9</td>
+            </tr>
+            <tr>
+            <td>Info / None</td>
+            <td>0.0</td>
+            </tr>
+            </tbody>
+        </table>
+    </Collapser>
+    <Collapser
+        className="freq-link"
+        id="active-ransomware"
+        title="Active ransomware data"
+    >
+        Active ransomware are vulnerabilities that have been used in known ransomware campaigns. The severe economic and reputational impacts of ransomware incidents make these vulnerabilities a high priority.
+    </Collapser>
+    <Collapser
+        className="freq-link"
+        id="exploit-probability"
+        title="Exploit probability(EPSS) data"
+    >
+        Exploit probability scores are based on EPSS, which rates the probability that a vulnerability will be exploited in the wild. In these cases, there are known instances of threat actors taking advantage of the vulnerability. EPSS scores can look low out of context; however, security experts recommend giving higher priority to all vulnerabilities with an exploit probability above the 85th percentile. This indicates a significant risk that that vulnerability will be exploited.
+
+        This table shows the tags we’ve assigned to each level of exploit probability.
+        <table>
+        <thead>
+            <tr>
+            <th>Exploit probability</th>
+            <th>EPSS percentile</th>
+            </tr>
+        </thead>
+        <tbody>
+            <tr>
+            <td>Exploit extremely probable</td>
+            <td> >95%</td>
+            </tr>
+            <tr>
+            <td>Exploit very probable</td>
+            <td> >90%</td>
+            </tr>
+            <tr>
+            <td>Exploit probable</td>
+            <td> >85%</td>
+            </tr>
+        </tbody>
+        </table>
+    </Collapser>
+    <Collapser
+        className="freq-link"
+        id="iast-confirmed"
+        title="IAST confirmed data"
+    >
+        IAST confirmed are vulnerabilities found in your custom code that are confirmed to actually be exploitable even if threat actors may not be aware of the exploit.
+    </Collapser>
+</CollapserGroup>
+
+### Example of ranking logic
+
+A vulnerability that’s "high" severity with an EPSS of “exploit probable” might rank higher than a vulnerability with a "critical" severity but an EPSS level that’s lower than an 85th percentile probability of exploitation. 

src/nav/vuln-management.yml

@@ -3,6 +3,8 @@ path: /docs/vulnerability-management
 pages:
   - title: Get started with vulnerability management
     path: /docs/vulnerability-management/overview
+  - title: Understanding vulnerability prioritization
+    path: /docs/vulnerability-management/understanding-prioritization
   - title: Manage vulnerabilities as a developer
     path: /docs/vulnerability-management/dev-workflow
   - title: Manage vulnerabilities as a security team