Sev-1s are sapping developer productivity. Security remediations occupy a growing portion of developers’ time. For their part, developers often resent spending time on code fixes rather than adding new features or shipping new versions. Their concern is justified. In 2021, nearly 35% of all published Common Vulnerabilities and Exposures (CVEs) were classified as critical (Sev-1). The volume of all vulns published continues to skyrocket. Over 18,000 were published in 2022, the fourth record year in a row.

The dirty secret? A Sev-1 that might be an existential threat for one organization may represent a very low risk to another. For example, let’s consider a vulnerable logging component. In one company, it’s used in their most critical customer-facing app. In another, it is nested in an application in a test environment not connected to enterprise networks. In the first organization, the Sev-1 is a juicy target. In the second organization, it is unreachable and largely irrelevant. Or, in another example, the developers overseeing that same logging component running on finance apps may have sanitized potential data pathways to the logging component, reducing attackability.