Skip to main content
Security Performance Management
Continuous Monitoring
Vendor Risk Management
Trust Management Hub
Cyber Insurance
National Cybersecurity

Patching Cadence Risk Vector update

Erin Conry

The Patching Cadence risk vector is part of the Diligence risk category. It evaluates how long, on average, known vulnerabilities existed in an organization unpatched.

We’re introducing a new version of this risk vector, renamed to Critical Vulnerabilities Management, and it incorporates changes to how grades are calculated.

The most important changes in this new version are:

  • The vulnerability's CVSS score will also impact the grade, and it will be the most impactful factor. High CVSS Scores (e.g., 9.0 or 10.0) will have the biggest influence.
  • The average time a known vulnerability exists in an organization unpatched will still impact the grade, but its impact will be lower. Unpatched vulnerabilities over extended periods (e.g., hundreds of days) will more significantly lower the score.
  • Our new model uses a logarithmic scale to ensure that high-severity, long-running vulnerabilities have a significant, but fair, impact on the rating.

This new version ensures we’re measuring absolute risk:

  • A high score indicates excellent patching performance, especially for critical issues.
  • A low score means there are severe, long-standing vulnerabilities that pose significant risk and require urgent attention.
  • The grades measure the severity and duration of vulnerabilities, not the size of the organization. Large organizations with good patching practices can still achieve high scores.

Advantages of this change include:

  • More Accurate Ratings: A better reflection of the organization's patching performance.
  • Actionable Guidance: Understand exactly where to focus efforts to improve the score, especially on critical vulnerabilities.
  • Increased Confidence: The ratings are now even more scientifically grounded and transparent.
  • Fairer Comparisons: The score will reflect absolute risk reduction, not just total vulnerability count.
  • Drives Better Security Outcomes: Encourages rapid remediation of the most impactful vulnerabilities.

Please refer to the chart below for a visual understanding of how severity duration and score drop are related:

FAQ

  1. Are the vulnerabilities included in Patching Cadence going to change?

    No, the set of vulnerabilities considered will remain consistent. The change focuses on how the severity and duration of unpatched vulnerabilities affect the score—not on which vulnerabilities are tracked.
  2. Will both versions be included in the rating at the same time?

    No. The current Patching Cadence risk vector will continue to be included in the Bitsight Security Rating until the updated Critical Vulnerabilities Management is released. Once released, only the updated version will be included, and the old Patching Cadence will be retired. The two will not coexist in the rating at the same time.
  3. Why is the CVSS score now the most important factor?

    CVSS represents the inherent risk of a vulnerability. Weighting grades more heavily toward severity ensures that organizations address the issues that pose the greatest real-world risk.
  4. How does this affect my Bitsight rating?

    Your organization may see risk vector grade and/or rating shifts depending on your patching behavior for high-severity vulnerabilities. If you've been patching critical vulnerabilities quickly, you may see an improvement in your score. If you’ve allowed high-risk vulnerabilities to linger, your grade may decrease.
  5. Will the new model penalize larger organizations more?

    No. Like the previous version of patching cadence, this model is designed to be size-agnostic. It evaluates how well vulnerabilities are patched, not how many vulnerabilities exist. A large organization with disciplined vulnerability management can still score highly.
  6. Will historical patching performance be reset?

    No. The model continues to consider the duration a vulnerability remains unpatched, so historical delays still factor in. However, improvements in current patching behavior will gradually raise your score over time.
  7. What should we focus on to improve our grade?
    • Prioritize patching vulnerabilities with high CVSS scores
    • Reduce the average time to remediation - focusing on the longest-running vulnerabilities can help here.
    • Implement structured vulnerability management processes to track and fix issues later.
  8. Will Critical Vulnerability Management be included in the Risk Remediation Plan?

    Yes, we intend to incorporate Critical Vulnerability Management into the Risk Remediation Plan prior to its inclusion in the rating. In the meantime, the Risk Vector Preview page offers a look at how an entity's grade could be affected by the upcoming update.
Was this article helpful?
3 out of 3 found this helpful
Return to top

Related articles

Feedback

0 comments

Please sign in to leave a comment.