RiskBridge: Turning CVEs into Business-Aligned Patch Priorities 文章

arXiv:2601.06201v2 Announce Type: replace-cross Abstract: Enterprises are confronted with an unprecedented escalation in cybersecurity vulnerabilities, with thousands of new CVEs disclosed each month. Conventional prioritization frameworks such as CVSS offer static severity metrics that fail to account for exploit probability, compliance urgency, and operational impact, resulting in inefficient and delayed remediation. This paper introduces RiskBridge, an explainable and compliance-aware vulnerability management framework that integrates multi-source intelligence from CVSS v4, EPSS, and CISA KEV to produce dynamic, business -- aligned patch priorities. RiskBridge employs a probabilistic Zero-Day Exposure Simulation (ZDES) model to forecast near-term exploit likelihood, a Policy-as-Code Engine to translate regulatory mandates (e.g., PCI DSS, NIST SP 800-53) into automated SLA logic, and an ROI-driven Optimizer to maximize cumulative risk reduction per remediation effort.