Over the past 6 months, we’ve been building, testing and fine-tuning a new vulnerability scoring system called Patchstack Priority to provide a more accurate representation of the seriousness of security vulnerabilities. The goal? Help WordPress developers reduce alert fatigue and know what to patch first.
We have carefully assigned the Patchstack Priority scores to all historic vulnerabilities, and the scores are now added to every new vulnerability. (Some of you may have already noticed “Priority” levels on the Patchstack Database vulnerability entries.)
Today, we roll Patchstack Priority out to all our users!
Vulnerability prioritization for Patchstack users
Patchstack users can now prioritize and filter vulnerabilities directly on their main dashboard.
By default, vulnerabilities will be sorted based on their Patchstack Priority score and date (newest first).
If you have planned maintenance windows for your websites, you can jump into the Patchstack App to see what needs your attention first. You’ll see which vulnerabilities could be resolved with a security update and which vulnerabilities are mitigated by the Patchstack vPatches.
As we continue working on the Patchstack Priority, the users will soon also get a “security tasklist,” recommending when to update specific software and helping you optimize your security maintenance.
Our Developer and Business users will be able to adjust their notifications. For example, if you'd only like to receive notifications for high-priority threats, toggle it in the Settings, and alert fatigue will be no more!
Different levels of Patchstack Priority
With the rapidly increasing amount of security vulnerabilities being fixed in the WordPress plugin ecosystem, it’s more important than ever to know where to put the attention first. Unfortunately, setting a focus is difficult when everything seems equally severe.
Patchstack Priority sets vulnerabilities into three categories, so users direct their attention to where it’s needed first and reduce noise from vulnerabilities which are not an imminent threat.
Patchstack Priority simply sets all vulnerabilities to High, Medium and Low:
- Expected to become actively exploited
- Known to be actively exploited already
- Receives a vPatching rule from Patchstack
- Recommended time to patch/update (RTTP): 0 days.
- Could be exploited in more targeted attacks
- Is not yet publicly known to be exploited
- Receives a vPatching rule from Patchstack
- Recommended time to patch/update (RTTP): 7 days.
- Not expected to become exploited
- Not known to be exploited
- Does not require a vPatching rule from Patchstack
- Recommended time to patch/update (RTTP): 30 days.
The priorities are updated as we get more data, ensuring you always know what needs your attention first.
Data behind the Patchstack Priority
Patchstack Priority is a dynamic scoring system, which takes into account different variables to predict whether a vulnerability will:
- Become actively mass-exploited, or
- Potentially be exploited in more targeted attacks, or
- Be unlikely to become exploited.
We analyze each vulnerability and the software where we found the vulnerability. Then, we compare them with similar vulnerabilities in the past that we have attack data for.
We also monitor each vulnerability in real time in case we need to increase the priority.
Some of the variables we analyze when assigning Patchstack Priority to security vulnerabilities include the following:
- Analyzing the vulnerability prerequisites (i.e. What privileges are required for the vulnerability to be exploitable?)
- Analyzing the vulnerability type (i.e. Some vulnerabilities like RCE are more prone to exploitation than others, such as CSRF.)
- Analyzing the software itself (i.e. how big of a target it is, where it’s commonly used, how many active installs it has, etc.)
- Analyzing the standard CVSS scores
- Monitoring active exploitation attempts
In addition to introducing Patchstack Priority so you know what to tackle first, our team has also made more changes to the Patchstack App:
- An easier way to control the Protection modules and search and review the protection logs
- See active modules on the Apps Overview page
- Partner Mode in the plugin
- New rule creation page for our new firewall engine (and templates)
Stay tuned for more updates as our team works to help you take charge of your WordPress security.
Try Patchstack Priority in your dashboard, and let us know if you have any feedback!