There are only two classes of vulnerabilities, not three:
1: The vulnerabilities that get fixed, and;
2: the vulnerabilties that don’t.
I find beffudling how popular it is to rate vulnerabilities, threats or risks using the High-Medium-Low scale or derivatives.This notoriously inefficient and time wasting classification only feeds discussions about the classification being correct or incorrect, or even rehashing of the classification criteria. If you want to get stuff done, don’t classify using High-Medium-Low, it only feeds the Chewbacca Defense (look it up)
Instead, promote communication and collaboration between teams by reaching agreements about what to fix and when using only two classes:
- During this period we will fix This, and;
- we won’t fix That.