Coalition releases cyber vulnerability scoring system

Cyber insurance provider Coalition has announced the launch of the Coalition Exploit Scoring System (Coalition ESS), a vulnerability scoring system aimed at helping risk managers mitigate potential cyber threats.

“In cybersecurity, timing is everything,” said Tiago Henriques, head of security research at Coalition. “Thousands of new vulnerabilities are published monthly, and it’s nearly impossible for IT and security teams to quickly understand and address them all. Defenders need a more efficient way to sift through the noise and prioritise which vulnerabilities to remediate. With Coalition ESS, they have an early source of truth to evaluate which risks to prioritise mitigating before an incident occurs.”

Coalition ESS utilises artificial intelligence and large language modelling to analyse the descriptions provided within newly released common vulnerabilities and exposures (CVEs) and compares them to previously published vulnerabilities to predict the likelihood of exploitability.

According to Henriques, this results in two probability scores: the Exploit Availability Probability, which represents the likelihood of publicly available exploit code, and the Exploit Usage Probability, which indicates the likelihood of threat actors employing an exploit to execute an attack.

These scores provide security managers and IT professionals with a prioritisation list that outlines the vulnerabilities posing the greatest threats, thereby saving time and resources in the decision-making process, Coalition said.

Unlike scores derived from the Common Vulnerability Scoring System, Coalition ESS scores are responsive to changes in available exploit information. The scores are made available within one week of the initial vulnerability announcement, whereas other systems can take up to a month to score a vulnerability, Coalition said.

“We created Coalition ESS to prioritise our own vulnerability management efforts as we are often the first line of defence for hundreds of thousands of assets of our customers at scale,” Henriques said. “We use ESS to evaluate and notify our policyholders about which vulnerabilities have the highest potential to negatively affect them and, today, are releasing it to the broader community.”

Have something to say about this story? Let us know in the comments below.