newrelic · jeff-colucci · Mar 27, 2024 · Mar 27, 2024 · Mar 27, 2024
diff --git a/src/content/docs/vulnerability-management/understanding-prioritization.mdx b/src/content/docs/vulnerability-management/understanding-prioritization.mdx
@@ -0,0 +1,118 @@
+---
+title: Understanding vulnerability prioritization
+metaDescription: Use Vulnerability Management to overcome blindspots and assign remediation to developers as a security team.
+freshnessValidatedDate: never
+---
+
+import vmPriority from 'images/vuln-priority-security.webp'
+
+This document covers: 
+    - Where to find priority ranks in Vulnerability Management
+    - What data factors into the priority ranks of vulnerabilities
+
+## Viewing priority rank in Vulnerability Management
+
+<img
+  title="Vulnerability Management prioritization"
+  alt="An image showing the vulnerabilities prioritization on the Vulnerability Management vulnerability list page."
+  src={vmPriority}
+/>
+
+<figcaption>
+  <DoNotTranslate>**[one.newrelic.com > All capabilities](https://one.newrelic.com/all-capabilities) > Vulnerability Management > (select vulnerabilities tab)**</DoNotTranslate>
+</figcaption>
+
+The priority ranking is based on all known data about a vulnerability. The “reason to prioritize” column is a summary and weighting of key CVSS (Common Vulnerability Scoring System), EPSS (Exploit Prediction Scoring System), IAST confirmed findings, and known active ransomware data. 
+
+## Data influencing priority rank
+
+<CollapserGroup>
+    <Collapser
+        className="freq-link"
+        id="severity"
+        title="Severity data"
+    >
+        **Severity** is based on the vulnerability’s CVSS score. An open industry standard, CVSS uses a formula of several access and impact metrics to calculate the severity of the vulnerability.
+
+        This table shows the tags we’ve assigned corresponding to CVSS scores.
+        <table>
+            <thead>
+                <tr>
+                <th>Severity</th>
+                <th>CVSS range</th>
+                </tr>
+            </thead>
+            <tbody>
+            <tr>
+            <td>Critical</td>
+            <td>9.0 - 10.0</td>
+            </tr>
+            <tr>
+            <td>High</td>
+            <td>7.0 - 8.9</td>
+            </tr>
+            <tr>
+            <td>Medium</td>
+            <td>4.0 - 6.9</td>
+            </tr>
+            <tr>
+            <td>Low</td>
+            <td>0.1 - 3.9</td>
+            </tr>
+            <tr>
+            <td>Info / None</td>
+            <td>0.0</td>
+            </tr>
+            </tbody>
+        </table>
+    </Collapser>
+    <Collapser
+        className="freq-link"
+        id="active-ransomware"
+        title="Active ransomware data"
+    >
+        **Active ransomware** are vulnerabilities that have been used in known ransomware campaigns. The severe impacts of ransomware incidents make these vulnerabilities a high priority.
+    </Collapser>
+    <Collapser
+        className="freq-link"
+        id="exploit-probability"
+        title="Exploit probability(EPSS) data"
+    >
+        **Exploit probability** scores are based on EPSS, which rates the probability that a vulnerability will be exploited in the wild. In these cases, there are known instances of threat actors taking advantage of the vulnerability. EPSS scores can look low out of context, but security experts recommend giving higher priority to all vulnerabilities with an exploit probability above the 85th percentile. This indicates a significant risk that that vulnerability will be exploited.
+
+        This table shows the tags we’ve assigned to each level of exploit probability.
+        <table>
+        <thead>
+            <tr>
+            <th>Exploit probability</th>
+            <th>EPSS percentile</th>
+            </tr>
+        </thead>
+        <tbody>
+            <tr>
+            <td>Exploit extremely probable</td>
+            <td> >95%</td>
+            </tr>
+            <tr>
+            <td>Exploit very probable</td>
+            <td> >90%</td>
+            </tr>
+            <tr>
+            <td>Exploit probable</td>
+            <td> >85%</td>
+            </tr>
+        </tbody>
+        </table>
+    </Collapser>
+    <Collapser
+        className="freq-link"
+        id="iast-confirmed"
+        title="IAST confirmed data"
+    >
+        **IAST confirmed** are vulnerabilities found in your custom code that are confirmed to actually be exploitable even if threat actors may not be aware of the exploit.
+    </Collapser>
+</CollapserGroup>
+
+### Example of ranking logic
+
+A vulnerability that’s "high" severity with an EPSS of “exploit probable” might rank higher than a vulnerability with a "critical" severity with an EPSS level that’s lower than an 85th percentile probability of exploitation. 
diff --git a/src/images/vuln-priority-security.webp b/src/images/vuln-priority-security.webp
diff --git a/src/nav/vuln-management.yml b/src/nav/vuln-management.yml
@@ -3,6 +3,8 @@ path: /docs/vulnerability-management
 pages:
   - title: Get started with vulnerability management
     path: /docs/vulnerability-management/overview
+  - title: Understanding vulnerability prioritization
+    path: /docs/vulnerability-management/understanding-prioritization
   - title: Manage vulnerabilities as a developer
     path: /docs/vulnerability-management/dev-workflow
   - title: Manage vulnerabilities as a security team