BIPI
BIPI

Patch Management That Scales: Risk Scoring, KEV, and Bake Time

Cybersecurity

Patching everything within seven days of disclosure is a policy that exists on paper at most organizations and fails in practice at all of them. Real patch management combines exploitability scoring, the CISA KEV catalog, and a deliberate bake time to keep urgency proportional to risk without inducing rollback fatigue.

By Arjun Raghavan, Security & Systems Lead, BIPI · August 29, 2023 · 9 min read

#patch-management#vulnerability-management#kev#cvss#epss

Most patch management policies are written by people who do not have to execute them. Patch everything within seven days of disclosure sounds reasonable until you count the patches. A typical enterprise sees tens of thousands of new vulnerabilities a quarter, and patching all of them in a week is operationally impossible.

The functional version of the policy is risk-prioritized patching. Patch the small subset that matters within hours, patch the meaningful middle within weeks, and let the long tail flow through normal release cycles. The hard part is deciding which is which.

CVSS is necessary but not sufficient

CVSS gives you a severity score. It does not tell you whether the vulnerability is actually being exploited, whether it is reachable in your environment, or whether the vendor patch introduces regressions. A CVSS 9.8 in a library you do not load is less urgent than a CVSS 7.2 in your edge proxy.

KEV is the actionable signal

The CISA Known Exploited Vulnerabilities catalog lists CVEs with confirmed in-the-wild exploitation. It is much smaller than the full CVE feed, and it is the right starting point for emergency patching. If a CVE is in KEV and it is in your stack, that is a same-day or next-day patch.

  • KEV listed and reachable in production: patch within 72 hours
  • KEV listed but not reachable: track and patch in the next release cycle
  • Not in KEV, high CVSS, high EPSS score: patch within two weeks
  • Not in KEV, high CVSS, low EPSS, low reachability: normal release cadence

EPSS for the long tail

EPSS, the Exploit Prediction Scoring System from FIRST, gives a probability that a CVE will be exploited in the next thirty days. It is not perfect, but it is dramatically better than CVSS alone for prioritization. Combined with KEV, it gives you a tiered triage model that scales.

Most CVEs with high CVSS scores have low EPSS scores. Treating all of them as emergencies guarantees you will miss the ones that matter.

Reachability is the multiplier

A vulnerability in a transitive dependency that your code never calls is a paper finding. Modern SCA tools, including Snyk Code, Endor Labs, and the open-source semgrep supply-chain pack, can analyze whether the vulnerable function is reachable from your application code. Reachability data, combined with KEV and EPSS, narrows the urgent list from thousands to dozens.

Bake time is a feature

Patching faster than you can validate is a recipe for rollback. A patch that breaks production at 2 AM is worse than a vulnerability that is being tracked. Build deliberate bake time into the process. Patches land in staging, run for a defined window, and only then promote to production. For KEV-listed criticals, the bake time can be hours. For routine patches, days is fine.

  1. Triage feed with KEV plus EPSS plus reachability scoring
  2. Auto-PR for safe minor and patch bumps via Renovate or Dependabot
  3. Mandatory CI suite plus a smoke test in staging with defined bake time
  4. Canary deploy to a single region or a small percentage of traffic
  5. Full rollout with monitored error budget burn

The metric that matters

Mean time to patch is the wrong metric in isolation. The right metric is mean time to patch for the KEV-listed and reachable subset. Most organizations have a great MTTP if you only count the easy patches, and a terrible MTTP for the ones that actually matter. Measure the right cohort.

Closing

Patch management at scale is a triage problem, not a velocity problem. The teams that succeed combine KEV, EPSS, and reachability into a tiered model, build deliberate bake time into the process, and measure the right cohort. The teams that fail try to patch everything in seven days and miss the one CVE that was actually being exploited.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.