How We Assess CVE Risk
wtfisthiscve goes beyond basic CVSS scores to help you understand the real-world risk of each vulnerability. We check multiple sources to answer two critical questions:
- Can attackers exploit this? (Weaponization status)
- Can defenders detect this? (Detection coverage)
Risk Levels
Based on detection and weaponization status, we assign a risk level:
| Risk Level | Meaning | Action |
|---|---|---|
| CRITICAL GAP | Exploits exist but NO detection available | Highest priority - you're blind to active attacks |
| HIGH | Exploits exist AND detection available | Urgent - ensure your detection tools are deployed |
| MEDIUM | Detection available but no known exploits | Important - detection gives you early warning |
| LOW | No known exploits or detection | Monitor - theoretical risk only |
What is a "Critical Gap"?
A Critical Gap is the most dangerous category: attackers have working exploit code, but defenders have no way to detect attacks using standard open-source tools.
These CVEs represent a pre-outbreak window - the opportunity to build detection BEFORE mass exploitation begins.
Note: Critical Gap status only applies to HIGH and CRITICAL severity CVEs (CVSS 7.0+).
EPSS Scores
We show EPSS (Exploit Prediction Scoring System) scores where available:
- What it is: Machine learning model predicting exploitation probability in the next 30 days
- Range: 0% to 100%
- Source: FIRST.org EPSS
EPSS complements CVSS by answering "how likely?" rather than "how bad?".