Some text here
RSVP for our Party!

Unpacking the Kusari Score

Cut through the noise to prioritize which vulnerability gets fixed next

Parth Patel

Jeff Mendoza

February 13, 2025

When you have one vulnerability, prioritizing which vulnerability to fix is easy. What happens when you have tens, hundreds, or even thousands of vulnerabilities across your application portfolio? Analysis paralysis can lead to nothing getting fixed. To address this, the Kusari Platform includes a Kusari Score for each identified vulnerability. The Kusari Score provides an easy prioritization method for engineers, product managers, or anyone else who needs to decide what gets fixed next.

What’s in the Kusari Score?

The Kusari Score is a combination of a vulnerability’s severity and how widely-distributed it is in the application portfolio. You can’t look at vulnerabilities one application at a time. Securing your software supply chain works better when you have a holistic view. The more often a vulnerability appears in your dependency graph, the greater the odds that an attacker will be able to exploit it. Therefore, the priority of remediating a vulnerability has to be more than just a measure of technical severity. As we develop the Kusari Platform, we’re working on more ways to provide meaningful context for prioritization.

Of course, the severity matters, too. The Kusari Score uses the industry standard Common Vulnerability Scoring System (CVSS) score. CVSS includes metrics for:

  • Attack vector
  • Attack complexity
  • Attack requirements
  • Privileges required
  • User interaction
  • Vulnerable system confidentiality impact
  • Vulnerable system integrity impact
  • Vulnerable system availability impact
  • Subsequent system confidentiality impact
  • Subsequent system integrity impact
  • Subsequent system availability impact

Combining these factors into a resulting severity score gives a comprehensive representation of the potential impact of a vulnerability.

How to use the Kusari Score

The Vulnerabilities tab in the Kusari Platform sorts vulnerabilities from highest to lowest Kusari Score by default, so the easiest way to use the Kusari Score is to start at the top of the table and work your way down. Because the Kusari platform integrates into your source code repositories and CI/CD pipelines, this method lets you address the most severe and widespread vulnerabilities first. The Kusari Score is for prioritization, not to objectively rate vulnerabilities. That means the score for a given vulnerability may change as other vulnerabilities are added or removed. The goal is to give you a relative list of what’s most important to fix right now.

A listing of vulnerabilities sorted by descending Kusari Score
A listing of vulnerabilities sorted by descending Kusari Score

The Kusari Score is a starting point. You can further refine your prioritization. For example: you may filter for the vulnerabilities with a “low” effort to fix rating in order to address the low-hanging fruit. This gives your team quick wins and improves your overall security while the developers are working through the more difficult issues.

The Kusari Score comes from our experience in software supply chain security. As the industry matures and new tools and methodologies become available, we continue to fine-tune the Kusari Score methodology. This ensures that the score you see in the Kusari Platform always reflects the best evaluation of a vulnerability’s priority.

Like what you read? Share it with others.

Other blog posts 

The latest industry news, interviews, technologies, and resources.

View all posts

Open Source Summit 2022

Takeaways & Learnings

June 23, 2022
Tim Miller

SPIFFE/SPIRE CSI Driver

Overview of the SPIFFE/SPIRE CSI Driver

June 27, 2022
Parth Patel

Not Just Third Party Risk

There’s a misconception in Cybersecurity among some that Software Supply Chain Security is just Third Party Risk Mana...

July 20, 2022
Michael Lieberman

Government Memo for Enhancing the Security of the Software Supply Chain

Executive Order (EO) 14028, Improving the Nation’s Cybersecurity was released last year in May.

September 19, 2022
Parth Patel

A High Fidelity View of Software Supply Chain

Understanding and maintaining your software supply chain can be a task that needs 24/7 vigilance.

October 20, 2022
Michael Lieberman

Kusari presenting at KubeCon and Cloud Native SecurityCon NA 2022

KubeCon + CloudNativeCon is right around the corner and we are excited to be attending in person!

October 21, 2022
Parth Patel

The Next Heartbleed?

Heartbleed (CVE-2014-0160) in 2014 left the industry in a scramble...

October 31, 2022
Parth Patel

Kusari's Software Supply Chain Security Overview

What is Software Supply Chain security, and why should I care?

March 14, 2023
Michael Lieberman

Applying Zero Trust to the Software Supply Chain

Understanding Zero Trust and Its Benefits

March 28, 2023
Michael Lieberman

Figure Out Who's Lurking in Your Supply Chain With Signatures and Attestations

A Story of Software and Cats

April 4, 2023
Michael Lieberman

Kusari Open-Sources Spector

We’re excited to announce the open-sourcing of Spector.

April 26, 2023
Michael Lieberman

GUAC v0.1 Beta Release

Kusari is excited to announce the v0.1 beta release of GUAC — Graph for Understanding Artifact Composition.

May 23, 2023
Tim Miller

Quest to determine the 'G' in GUAC

Working towards determining a persistent database for GUAC

June 27, 2023
Parth Patel

daBOM Podcast with Tim & DJ

Tim appeared as a guest on the daBOM podcast.

July 5, 2023
Tim Miller

Announcing Helm Chart for GUAC

Helm Chart for GUAC

July 12, 2023
Tim Miller

Case Study: A discussion with Guidewire on GUAC

A look into Guidewire's software supply chain security use case and why they are using GUAC

August 2, 2023
Michael Lieberman

Announcing the Kusari YouTube Channel and GUACademy

Kusari have just launched a YouTube Channel!

August 23, 2023
Jeff Mendoza

Terror of cURL - Preparation is Half the Battle

CVE-2023-38545 - HIGH Severity Vulnerability

October 16, 2023
Parth Patel

Spooky Enhancements: Unveiling GUAC's OpenVEX Feature

GUAC's OpenVEX Integration

October 31, 2023
Nathan Naveen

What the NSA Missed in its SBOM Management Recommendations

The missing first step that most organizations are still struggling with

December 22, 2023
Parth Patel

Contributor to Leader: Securing Open Source Software at OpenSSF

Kusari elected to OpenSSF leadership roles

January 16, 2024
Michael Lieberman

Our $8M Funding Round Fuels our Mission to Make the Software Supply Chain Transparent and Secure

Kusari raises seed funding

January 18, 2024
Tim Miller

Kusari Soaks up Community at FOSDEM and Beyond

Kusari speaking at FOSDEM and other EU community venues

January 26, 2024
Jeff Mendoza

From Open Source Community to Joining a Start-up – while in High School

Nathan Naveen, a 17-year-old high schooler, shares his journey to becoming an intern at Kusari

February 8, 2024
Nathan Naveen

Unveiling GUAC as an OpenSSF Incubating Project for Software Dependency Management

Today, we find ourselves in a moment akin to proud parents, as we witness a significant milestone in the journey of Graph for Understanding Artifact Composition (GUAC).

March 7, 2024
Parth Patel
Michael Lieberman

Graph for Understanding Artifact Composition (GUAC) Joins OpenSSF as Incubating Project

The GUAC maintainers are pleased to announce the project has joined the Open Source Security Foundation (OpenSSF) as an Incubating Project.

March 7, 2024
Michael Lieberman
Brandon Lum

XZ Backdoor: Software Security Lessons

The recent incident involving the XZ backdoor brings to light the critical importance of vigilance and proactive security measures, while not losing sight of the human element.

April 5, 2024
Michael Lieberman

Proactive Security in the Post-Log4j Era

Gone are the days when signing containers and running vulnerability scans through CI processes provided a sense of security.

April 23, 2024
Tim Miller

Graph for Understanding Artifact Composition (GUAC) adds persistent storage in v0.6.0 release

Open source supply chain observability tool standardizes on PostgreSQL

May 6, 2024
Jeff Mendoza
Dejan Bosanac

Another Turn of the Page: GUAC v0.7.0 Released

Improving performance with pagination and more

June 4, 2024
Parth Patel

Counting CVEs Was Never Enough

CVE IDs don't tell you much, but somehow we started using them as a proxy for security

June 6, 2024
Ben Cotton

Kusari Signs the Secure by Design Pledge

The Secure By Design Pledge is a great starting point, but it can’t be the end.

June 12, 2024
Tim Miller

To Fork or Not to Fork

How you handle your dependencies will change how you secure your software supply chain

June 27, 2024
Ben Cotton

Meeting Federal Software Supply Chain Mandates

Only two months left until the Secure Software Development Attestation Form deadline

July 11, 2024
Parth Patel

Achieving Wisdom with GUAC Visualizer

It's not enough to just have the data, you need to be able to see it.

July 23, 2024
Ben Cotton

Announcing GUAC v0.8.0 Enhancements

GUAC v0.8.0 brings support for license information, running vuln scans upon SBOM ingestion, node deletion, and many other improvements.

July 25, 2024
Parth Patel

Why Software Cannot Be Secured by SBOMs Alone

Actionable insights come from SBOMs plus additional information

July 31, 2024
Tim Miller

Hack-Proof Artificial Intelligence Supply Chains Using Open Source Security

Practical ways to protect against AI software attacks

August 5, 2024
Tim Miller
Michael Lieberman

GUAC Boosts License Transparency

v0.8.0 features new integration with ClearlyDefined

August 8, 2024
Ben Cotton

Understanding Prevalence is the First Step

The White House commits $11 million to enhance our collective understanding of the challenges surrounding open source software.

August 26, 2024
Ben Cotton

You Can’t Fix Issues if You Can’t Find Them

Organizations often struggle to identify vulnerabilities and risks hidden within the layers of dependencies. Address it by using a holistic approach to software security.

October 18, 2024
Ben Cotton
Parth Patel

Introducing the Kusari Platform—know your software

Navigating modern software development is a complex challenge. Kusari’s aim is to make it easier.

October 22, 2024
Parth Patel

Is Your Supply Chain Haunted by CVEs?

Secure development starts with developers: bring forth the code masters

October 31, 2024
Michael Lieberman

The Path to Zero CVEs: Vanquishing Cyber Threats

Addressing Common Vulnerabilities and Exposures (CVEs) is no longer optional—aiming to eliminate them is a critical priority for securing modern systems.

November 8, 2024
Michael Lieberman
Andrew Martin, CEO of ControlPlane

Is the Internet on Fire? The State of Open Source Security

Amid the flurry of innovation and collaboration at last week's KubeCon North America, a critical theme emerged: the precarious state of open source security.

November 26, 2024
Michael Lieberman
Andrew Martin, CEO of ControlPlane

The Best Way to Secure Your Open Source Supply Chain is to Participate

Open source software powers 96% of modern applications, but it comes with challenges. Companies can secure their supply chains by actively participating in the open source projects they rely on.

December 5, 2024
Ben Cotton

Rust Won’t Fix Everything: Moving Toward a Memory-Safe Future

Rust is promising for addressing memory safety issues. Improving existing C/C++ toolchains will take time, but these steps help set a realistic path forward.

December 9, 2024
Ben Cotton
Michael Lieberman

Threat Modeling in the Software Development Life Cycle

What are you defending against? From upstream dependencies to code repositories, threat modeling ensures you're prepared to mitigate risks, reduce vulnerabilities, and avoid costly compromises.

December 17, 2024
Parth Patel

Solving the “Bottom Turtle” Problem in Supply Chain Security

Software supply chain security is like a stack of turtles—each layer depends on the integrity of the one below it. Continuous vigilance is key to maintaining security all the way down.

December 18, 2024
Michael Lieberman

Software Supply Chain Security Predictions: Hits & Misses from 2024

As 2025 approaches, it’s time to revisit our 2024 software supply chain security predictions to see how they held up.

December 29, 2024
Michael Lieberman

AI Alone Won’t Fix Your Supply Chain

Properly integrating AI into your processes can help identify risks and offer proactive insights, but the final decisions must always remain in human hands.

January 10, 2025
Tim Miller

Software Supply Chain Security Predictions for 2025

This year, we focus on the evolving role of AI, pressing software security concerns, and emerging regulations.

January 13, 2025
Michael Lieberman

Stick a Pin in It: Managing Dependencies for Supply Chain Security

Managing software dependencies is an important part of software supply chain security. Here are three approaches you can take to pin your dependencies to known-good versions.

January 23, 2025
Ben Cotton

Alarms Raised by Critical Reverse Backdoor Vulnerability in Medical Devices

Medical monitors have critical security flaws, allowing unauthorized code execution and patient data leaks.

February 3, 2025
Michael Lieberman

Unpacking the Kusari Score

Cut through the noise to prioritize which vulnerability gets fixed next

February 13, 2025
Parth Patel
Jeff Mendoza

Unpacking the Kusari “Effort to Fix” Capability

Get a clear understanding of the work involved in remediating a vulnerability so you can schedule it in your sprint without blocking feature work.

February 18, 2025
Parth Patel
Jeff Mendoza

Building a Foundation of Trust for a Stronger Software Supply Chain

Creating a secure foundation of trust enables organizations to safely delegate specific actions in the software development life cycle.

February 20, 2025
Michael Lieberman

Previous

No older posts

Next

No newer posts

Want to learn more?

Book a Demo
About KusariResourcesContactCareersCompany Logos
© 2025 Kusari Inc. All rights reserved.
Terms
Privacy
Cookies
By clicking “Accept”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
PreferencesDenyAccept