← Back to Weekly Roundup

How We Build the Weekly Vulnerability Roundup

Every Monday, ComplyIT publishes a curated digest of the most significant vulnerabilities disclosed in the previous seven days. This page explains what we track, how we score it, and why the rankings look the way they do.

Sources

We pull from two authoritative feeds maintained by the United States government:

  • CISA Known Exploited Vulnerabilities (KEV) catalog— a curated list of CVEs confirmed to be actively exploited in the wild. When CISA adds a vulnerability to the KEV, federal agencies must remediate it within a set deadline. In practice, any organization should treat a KEV listing as a signal to act fast.
  • National Vulnerability Database (NVD)— the U.S. government’s comprehensive CVE repository, enriched with CVSS scores, CWE classifications, and reference links. We query for CVEs with a CVSS v3 base score of 7.0 or higher (HIGH and CRITICAL severity) that were published or modified during the reporting window.

We merge both sources, deduplicate by CVE ID, and enrich each entry with vendor advisories, exploit availability signals, and CWE data.

Composite scoring

Rather than ranking purely by CVSS score, we apply a composite formula designed to surface the vulnerabilities that matter most to security teams managing enterprise risk:

  • KEV listing (+5.0)— the single strongest signal. If CISA has confirmed active exploitation, this vulnerability jumps to the top of the list regardless of its CVSS score.
  • CVSS base score (+0 to +10.0)— the standard severity metric. We use the NVD-provided CVSS v3.1 (or v3.0) base score.
  • Public exploit availability (+2.0)— if any NVD reference is tagged as an exploit, the vulnerability is easier to weaponize and warrants faster action.
  • Mainstream vendor (+1.5)— vulnerabilities in widely deployed enterprise products (Microsoft, Cisco, Fortinet, Apache, Oracle, VMware, Broadcom, Atlassian, Citrix, Ivanti, F5, Palo Alto, SAP, IBM) get a boost because they affect more organizations.
  • Top-25 CWE (+1.0)— vulnerabilities classified under MITRE’s 2023 Top 25 Most Dangerous Software Weaknesses get a small boost. These are the weakness types that appear most frequently and cause the most damage.
  • Network attack vector (+0.5)— remotely exploitable vulnerabilities pose a higher risk than those requiring local or physical access.

Ties are broken by KEV add date (earlier first), then CVSS score (higher first), then CVE ID alphabetically. We cap each digest at 15 entries to keep the roundup actionable rather than exhaustive.

Why KEV weighs the highest

A CVSS 10.0 vulnerability that nobody is exploiting is less urgent than a CVSS 7.5 vulnerability that threat actors are actively using against production systems. CISA’s KEV catalog is the closest thing the industry has to a verified “this is being exploited right now” list. By weighting KEV membership at +5.0 — equivalent to half a maximum CVSS score — we ensure that confirmed exploitation always outranks theoretical severity.

Cross-reference logic

Each digest includes a “Related ComplyIT Analysis” section when relevant blog posts exist. We compute relevance by checking whether blog categories overlap with the dominant vulnerability topics of the week, whether vendor or product names appear in recent articles, and how recently the article was published. Posts from the last 90 days score higher; posts from the last 7 days score lower to avoid circular self-promotion of brand-new content. We surface at most two related articles, and only if they meet a minimum relevance threshold.

AI-assisted content

Per-CVE mitigation guidance and the “Themes & Observations” section are generated using an AI model. All AI output is validated against our editorial guidelines: no marketing language, no filler phrases, and an opinionated, senior-leader tone. If generation fails, mitigation text may be absent and the themes section is omitted entirely — we prefer no content to bad content.

Update cadence

This methodology is refreshed quarterly. The vendor list, CWE set, and scoring weights may be updated to reflect changes in the threat landscape. Structural changes are noted here.

Volume threshold

If fewer than 8 qualifying CVEs are found in a given week (rare but possible during holiday periods), the roundup is skipped rather than publishing a thin digest. Our operator chat receives a notification, and the roundup resumes the following Monday.

Last reviewed: May 2026