u/Mysterious_Ice_1687

CVSS score alone wont tell you if youre actually exposed

I was testing an agent on CVE-2024-3094 and ran into a pretty obvious problem.

Most normal CVE searches only return two things:

a CVSS score

a short vulnerability description

But if you are actually doing vulnerability triage, that is not enough.

The real question is not just how severe is this CVE.

The real questions are:

Are we actually using this package?

Are we using an affected version?

Is it a direct dependency or a transitive dependency?

When was the official patch released?

Is there any real exploitation evidence?

Did any public company disclose operational or financial impact related to it?

Which fields are verified, and which fields are still unknown?

So now I ask the agent to extract fields like:

affected_versions

dependency_depth

patch_status

exploitation_confidence

enterprise_impact_signal, like SEC 8-K disclosures

unknown_fields

The last part matters more than I expected.

If the agent cannot verify something, it should mark it as unknown instead of guessing from a few search results.

In security work, an unknown field is often safer than a confident fake answer.

I am collecting more structured CVE triage query templates like this in r/AnySearchAI, mostly around agent search, structured security research, and cross-source risk checks.

If you are building security agents or doing CVE triage, the template might be useful.

reddit.com
u/Mysterious_Ice_1687 — 4 days ago