FAQ

Questions users will actually ask before trusting the score.

These answers explain what the tool does, what it does not do, how source data is used and how teams should interpret the generated report.

Core principle

The tool helps prioritize and explain risk. It does not replace scanner evidence, asset inventory, vendor advisories, risk ownership or security engineering judgement.

1

Does business context change the original CVSS score?

No. CVSS stays as the source technical severity score. Business context changes the Business Risk Score, which is the operational prioritization layer used for remediation planning.

2

What problem does this application solve?

It helps teams move from raw vulnerability severity to business-aware priority. A CVSS 10 on an isolated lab host is not the same operational risk as a CVSS 10 on an internet-facing production identity system.

3

What data sources are used during CVE lookup?

The current enrichment flow uses NVD for CVE details and CVSS data, FIRST EPSS for exploitation probability and CISA KEV for known-exploited status when available.

4

What does EPSS mean in this tool?

EPSS estimates the probability of exploitation. It is a likelihood signal, not proof that exploitation is already happening.

5

When does the tool treat a CVE as known exploited?

Known exploitation is treated as source-confirmed when the CVE is listed in CISA KEV. Other signals, such as high EPSS or public exploit references, may increase likelihood but are not the same as KEV confirmation.

6

Why does the tool ask for business context?

Business context tells the model how the vulnerability matters in the user's environment. Exposure, asset type, business criticality, data sensitivity and compensating controls can change remediation urgency.

7

What are affected product hints?

Affected product hints are source-derived indicators, usually from NVD CPE configuration data. They are validation hints, not proof that the user's environment contains the product.

8

Why not include every affected product row in the report?

Some CVEs have large configuration trees. The report shows a readable ranked subset and links to the full NVD CVE detail page for complete validation.

9

Are reports saved in the database?

No. The MVP uses session-only reports. Users should download or print the current report before generating a new one or refreshing the page.

10

What is stored in the local CVE cache?

The cache is intended for public CVE intelligence such as NVD, EPSS and KEV lookup results. It is not intended to store user reports, private scenario history or account data in the MVP.

11

Can this replace a vulnerability scanner?

No. The tool does not discover assets or prove that a product is installed. It helps prioritize and explain findings that come from scanner output, asset inventory, source intelligence or manual validation.

12

Can this replace vendor remediation guidance?

No. Vendor advisories and official mitigation instructions remain the source of truth for exact remediation steps. The report helps organize the decision and evidence around remediation priority.

13

How should security teams use the SLA recommendation?

The SLA should be treated as a prioritization recommendation. Teams still need to consider change windows, outage risk, compensating controls, business owner approval and incident response requirements.

14

Why are compensating controls not removing the risk completely?

Controls such as EDR, WAF, segmentation and monitoring can reduce practical risk, but they normally do not remove the underlying vulnerability. The report should still track remediation or formal risk acceptance.

15

Is the Business Risk Score an official standard?

No. It is a transparent model for prioritization. CVSS, EPSS, CISA KEV, vendor advisories and internal risk management processes remain separate inputs and validation sources.