Tese de Mestrado, Segurança Informática, 2022, Universidade de Lisboa, Faculdade de CiênciasVulnerabilities have been increasing over the years without signs of decreasing soon. With this ex ponential growth, it is important for organizations to define a vulnerability management plan to proceed
with what should be done if they encounter a vulnerability. However, existing plans and metrics do not
fit the current reality. Existing plans are not independent of vulnerability detection tools. The classifica tion systems currently used (the most common is CVSS) fail to provide information on the variation of
risk that a particular vulnerability entails for the organization. As this is not constant, being exception ally high when there is a form of active exploitation, as well as its location in the network and business
needs. SecRush presents itself as a new vulnerability management framework with a new risk-based
vulnerability management process. It has a set of procedures inspired by agile methodologies to mitigate
vulnerabilities and a new classification system - SecScore – able to provide a prioritization in context
with the organization. SecScore varies its ranking through temporal factors (specific risk index depend ing on the organization’s risk appetite and the availability of an exploit) and environmental factors (asset
visibility to the external network and importance of the asset to the organization’s mission). This project
intends not only to contribute with a set of procedures independent of the security tools used but also to
improve the currently existing classification systems for prioritization, which cannot adapt to the different
contexts in which they are found
