Vulnerability prioritization attributes

Last updated: Mar 2, 2026

The Priority section within Policies allows you to configure your organization’s decisions for prioritizing vulnerability remediation by arranging risk-relevant attributes in order of importance.

The chosen arrangement (where 1 is the most important attribute and 5 is the least important) is used by Fluid Attacks to calculate the vulnerability priority rank.

The available attributes are the following:

• Transitivity: Related to supply chain risk, identifies whether the vulnerability exists in a transitive dependency (a component that one of your direct dependencies uses, but you do not directly control).
• Use: Refers to the environment where the vulnerable component is being used, either only in development or in production stages, helping you assess vulnerabilities by their real-world impact on your business operations and security posture.
• KEV: Whether the vulnerability is in the Known Exploited Vulnerabilities catalog maintained by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), i.e., vulnerabilities that have been actively exploited by attackers in the wild.
• % EPSS: The probability (from 0 to 1) that a vulnerability will be exploited in the next 30 days (Exploit Prediction Scoring System), and therefore a dynamic, predictive metric based on real-world threat intelligence
• Fixing cost: Fluid Attacks’ estimation of the time it would take your team to remediate the vulnerability.

Click on the attributes and drag them to arrange them according to your organization’s chosen order.

After rearranging the items, you can either click on Save changes or Cancel. The latter would restore the arrangement immediately preceding your current, unsaved change.

After saving the arrangement, you may restore the default arrangement by clicking the Reset to default button. It is then necessary to click on Save changes to keep that default setting.