@blamejs/exceptd-skills 0.9.1

package/skills/exploit-scoring/skill.md

@@ -0,0 +1,331 @@
+---
+name: exploit-scoring
+version: "1.0.0"
+description: Real-World Exploit Priority (RWEP) scoring — CVSS plus KEV, PoC, AI-acceleration, blast radius, live-patch factors
+triggers:
+  - exploit scoring
+  - rwep
+  - real world priority
+  - how bad is this cve
+  - prioritize cve
+  - cve priority
+  - patch priority
+  - beyond cvss
+data_deps:
+  - cve-catalog.json
+  - exploit-availability.json
+atlas_refs: []
+attack_refs: []
+framework_gaps:
+  - CWE-Top-25-2024-meta
+  - CIS-Controls-v8-Control7
+last_threat_review: "2026-05-01"
+---
+
+# Real-World Exploit Priority (RWEP) Scoring
+
+CVSS measures severity — the theoretical worst-case impact of a vulnerability. RWEP measures priority — how urgently a specific vulnerability requires action given real-world exploit availability, operational constraints, and blast radius.
+
+A CVSS 9.8 vulnerability with no public exploit, no active exploitation, and a straightforward patch may be lower priority than a CVSS 7.8 vulnerability that is CISA KEV listed, has a public 732-byte deterministic exploit, and requires a reboot to patch.
+
+---
+
+## Threat Context (mid-2026)
+
+RWEP exists because the exploit development cycle has compressed. The factors that CVSS does not model are now the dominant signal in real-world prioritization.
+
+- **AI-accelerated exploit development is current operational reality, not emerging.** 41% of 2025 zero-days were discovered or weaponized with AI-assisted tooling (AGENTS.md DR-5). Copy Fail (CVE-2026-31431) was discovered by an AI system in approximately one hour. CVSS scoring assumes a human-speed gap between disclosure and reliable exploitation — that gap is gone for AI-capable threat actors.
+- **CVSS undercounts AI-discovered + KEV-listed bugs.** CVE-2026-31431 scores CVSS 7.8 (High). Treated as a CVSS-band-7 item, it lands in a 30-day remediation queue. Treated honestly — CISA KEV listed, 732-byte deterministic public PoC, all Linux ≥ 4.14, AI-discovered — it is a 4-hour incident. CVSS misses every one of those amplifiers.
+- **CVSS overscores supply-chain-prerequisite CVEs.** CVE-2026-30615 (Windsurf MCP) scores CVSS 9.8 because the worst-case is zero-interaction RCE. The actual exploitation rate is throttled by the requirement that a victim first install a malicious MCP server. RWEP correctly rates it 35, lower than Copy Fail at 90 despite the lower CVSS.
+- **Compliance frameworks anchor SLAs on CVSS bands.** NIST 800-53 SI-2, PCI DSS 6.3.3, ISO 27001:2022 A.8.8, and most internal vuln-management policies translate CVSS High/Critical into 30-day/7-day windows. For AI-discovered KEV-listed LPEs with public PoCs, these windows are exploitation windows. RWEP is the layer that lets an org prioritize honestly without re-writing every framework control.
+
+---
+
+## Framework Lag Declaration
+
+| Framework | Control | What It Assumes | Why It Fails (mid-2026) |
+|---|---|---|---|
+| NIST 800-53 Rev 5 | SI-2 (Flaw Remediation) | CVSS-banded patch cycles: 30 days for High, 7 days for Critical | No factor for CISA KEV listing, AI-discovered, public PoC byte-size, deterministic vs. race-condition exploits. A CVSS 7.8 AI-discovered KEV-listed LPE drops into the 30-day bin alongside CVSS 7.8 theoretical bugs. |
+| NIST 800-53 Rev 5 | RA-5 (Vulnerability Monitoring and Scanning) | Scanner CVSS scores drive ticket priority | Scanners report CVSS. CVSS 7.8 Copy Fail and CVSS 7.8 obscure-config RCE generate identical ticket priorities. Operational queues cannot distinguish them without RWEP. |
+| PCI DSS 4.0 | 6.3.3 | "Critical patches" (CVSS-defined) within 1 month, all others within 3 months | CVSS-anchored SLA. 1 month for a 732-byte CISA KEV public PoC is indefensible. No factor for AI-discovery or live-patch availability. |
+| ISO 27001:2022 | A.8.8 (Management of technical vulnerabilities) | "Appropriate timescales" set by risk classification, typically CVSS-driven | Risk classification methodology is not specified; in practice orgs use CVSS bands. Standard offers no guidance distinguishing AI-discovered KEV-listed from theoretical High. |
+| CIS Controls v8 | Control 7 (Continuous Vulnerability Management) | IG1/IG2/IG3 timelines indexed on CVSS Critical/High | Same CVSS-anchored SLA failure. No factor for KEV status as a re-prioritization trigger. |
+| NIS2 Directive | Art. 21 (vulnerability handling) | "Appropriate measures" — methodology unspecified | In practice essential/important entities map this to CVSS-driven internal SLAs. Standard does not require any non-CVSS factor. |
+| ASD Essential 8 | Patch Operating Systems ML1–ML3 | ML3: 48h for OS vulns "with working exploit" | Closest to adequate — at least incorporates exploit availability. Still does not model AI-discovery, KEV, blast radius, or live-patch availability. 48h window remains long for AI-accelerated weaponization. |
+| FedRAMP Continuous Monitoring | Vuln scan cadence + CVSS-band remediation | Monthly scans, CVSS-banded SLAs | Cadence-based detection plus CVSS-banded remediation cannot respond inside the AI-accelerated exploit window. |
+
+Across all of these, the framework lag is the same shape: **CVSS-as-risk-proxy.** RWEP is the operational corrective layer.
+
+---
+
+## TTP Mapping
+
+This skill is meta — it does not pin to a single TTP class. RWEP is the cross-cutting prioritization layer applied **across all attack classes catalogued in `data/atlas-ttps.json` and `data/cve-catalog.json`**. Frontmatter `atlas_refs` and `attack_refs` are intentionally empty.
+
+| Catalog | Role for RWEP |
+|---|---|
+| `data/cve-catalog.json` | Source of factor values: CISA KEV flag, PoC availability, AI-discovery flag, active-exploitation status, patch and live-patch availability per CVE |
+| `data/atlas-ttps.json` (MITRE ATLAS v5.1.0) | Provides the AI/ML TTP context where AI-discovery and AI-acceleration factors apply (e.g., AML.T0017 Develop Capabilities) |
+| `data/exploit-availability.json` | Authoritative PoC + KEV + last-verified date snapshot — drives factor freshness |
+| `data/zeroday-lessons.json` | Closes the loop: zero-day's lesson entry feeds back the framework gap that RWEP's score implied |
+
+Use the TTP-specific skills (e.g., `kernel-lpe-triage`, `ai-attack-surface`, `mcp-agent-trust`) to extract the attack vector. Use this skill to translate that attack vector's catalogued factors into an action timeline.
+
+---
+
+## Exploit Availability Matrix
+
+How each RWEP factor maps to a real CVE in `data/cve-catalog.json`:
+
+| CVE | KEV | PoC | AI-Discovered | Active Exploitation | Blast Radius | Patch | Live Patch | RWEP | CVSS |
+|---|---|---|---|---|---|---|---|---|---|
+| CVE-2026-31431 (Copy Fail) | Yes | Yes (732-byte) | Yes | Confirmed | All Linux ≥ 4.14 (30) | Yes | Yes (kpatch/livepatch/kGraft) | 90 | 7.8 |
+| CVE-2026-43284 (Dirty Frag ESP/IPsec) | No | Yes (chain) | No | Suspected | IPsec-using systems (18) | Yes | RHEL-only kpatch | 38 | 7.8 |
+| CVE-2026-43500 (Dirty Frag RxRPC) | No | Yes (chain) | No | Suspected | RxRPC-loaded systems | Yes | Partial | 32 | 7.6 |
+| CVE-2025-53773 (Copilot prompt-injection RCE) | No | Yes (demonstrated) | Yes (AI tooling enables) | Suspected | GitHub Copilot users (22) | Yes (SaaS) | Yes (SaaS push) | 42 | 9.6 |
+| CVE-2026-30615 (Windsurf MCP RCE) | No | Partial | No | Suspected (supply-chain) | 150M+ downloads but supply-chain prereq | Yes | Yes (IDE update) | 35 | 9.8 |
+
+Key reads: Copy Fail (RWEP 90, CVSS 7.8) and Windsurf MCP (RWEP 35, CVSS 9.8) sit at opposite ends — Copy Fail is the canonical case of CVSS under-prioritization; Windsurf MCP is the canonical case of CVSS over-prioritization (supply-chain prerequisite as throttle).
+
+---
+
+## RWEP Formula
+
+```
+RWEP = min(100, max(0,
+  (cisa_kev      × 25) +
+  (poc_public    × 20) +
+  (ai_assisted   × 15) +
+  (active_expl   × 20) +
+  (blast_radius  × 15) -
+  (patch_avail   × 15) -
+  (live_patch    × 10) +
+  (reboot_req    × 5)
+))
+```
+
+### Factor Definitions
+
+**cisa_kev** (0 or 1): Is this CVE in the CISA Known Exploited Vulnerabilities catalog?
+- Source: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
+- Score contribution: +25 points if listed
+- Rationale: CISA KEV listing means active exploitation has been confirmed by CISA. This is the highest-confidence signal that exploitation is occurring in the wild.
+
+**poc_public** (0 or 1): Is a working PoC publicly available?
+- Score contribution: +20 points if public
+- Rationale: A public PoC reduces attacker capability requirements to near-zero. Any actor with access to the PoC can execute the exploit. Lowers barrier from nation-state to script kiddie.
+
+**ai_assisted** (0 or 1): Was this CVE discovered by an AI system, or has AI-assisted weaponization been documented?
+- Score contribution: +15 points if yes
+- Rationale: AI-assisted discovery (e.g., Copy Fail discovered in ~1 hour) indicates the vulnerability class is likely to be re-discovered or further exploited rapidly. AI-assisted weaponization compresses the time-to-reliable-exploit dramatically.
+
+**active_expl** (0 or 1): Is active exploitation confirmed (beyond CISA KEV, e.g., incident reports, threat intelligence)?
+- Score contribution: +20 points if confirmed
+- Rationale: Confirmed exploitation means the threat is not theoretical. Treat as an incident-level response trigger.
+
+**blast_radius** (0.0 to 1.0 scaled to 0–15): How broad is the affected population?
+- 15 points: Affects all Linux systems since a specific kernel version (e.g., Copy Fail: all 4.14+)
+- 10 points: Affects a major distribution's default configuration
+- 7 points: Affects a specific distribution or configuration
+- 3 points: Affects a narrow software version range
+- 0 points: Affects only highly specific configurations
+
+**patch_avail** (0 or 1): Is a patch available?
+- Score contribution: -15 points if available
+- Rationale: Patch availability dramatically reduces remediation timeline. The risk decays as patches are deployed.
+
+**live_patch** (0 or 1): Is live kernel/application patching available (no reboot required)?
+- Score contribution: -10 points if available
+- Rationale: Live patching enables immediate remediation without service disruption. Systems that can live-patch have a lower operational burden for remediation.
+
+**reboot_req** (0 or 1): Is a reboot required to apply the patch (and no live patch is available)?
+- Score contribution: +5 points if reboot required with no live patch
+- Rationale: Reboot requirements extend remediation timelines for production systems. Systems stay exposed longer.
+
+---
+
+## Pre-Calculated RWEP Scores
+
+### CVE-2026-31431 — Copy Fail
+
+| Factor | Value | Points |
+|---|---|---|
+| CISA KEV | Yes | +25 |
+| PoC Public | Yes (732-byte script) | +20 |
+| AI-Assisted | Yes (discovered by AI in ~1h) | +15 |
+| Active Exploitation | Confirmed | +20 |
+| Blast Radius | All Linux kernel 4.14+ (all major distros, containers) | +30 |
+| Patch Available | Yes | -15 |
+| Live Patch Available | Yes (kpatch/livepatch/kGraft) | -10 |
+| Reboot Required | Yes (always — live patch is temporary) | +5 |
+| **RWEP** | | **90** |
+
+**Interpretation:** RWEP 90 — the highest score in the current catalog. Formula: 25(KEV)+20(PoC)+15(AI-discovered)+20(confirmed)+30(blast)−15(patch)−10(live-patch)+5(reboot) = 90. The blast radius of 30 reflects all Linux >= 4.14 including containers and all major distributions since 2017.
+
+**vs. CVSS:** CVSS 7.8 High. In traditional frameworks, this scores as a "30-day remediation" item. RWEP 90 means: patch or live-patch within 4 hours of availability, or document compensating controls. RWEP is 12 points higher than CVSS × 10 (78) — the AI-discovery factor, confirmed exploitation, and massive blast radius are what CVSS misses.
+
+---
+
+### CVE-2026-43284 — Dirty Frag (ESP/IPsec)
+
+| Factor | Value | Points |
+|---|---|---|
+| CISA KEV | No | 0 |
+| PoC Public | Yes (chain component) | +20 |
+| AI-Assisted | No | 0 |
+| Active Exploitation | Suspected | +10 (partial) |
+| Blast Radius | IPsec-using systems, kernel 5.x | +18 |
+| Patch Available | Yes | -15 |
+| Live Patch Available | No (kpatch RHEL-only — not broadly available) | 0 |
+| Reboot Required | Yes | +5 |
+| **RWEP** | | **38** |
+
+**Interpretation:** No CISA KEV, suspected (not confirmed) exploitation, and no broad live-patch availability. RWEP 38 vs. CVSS-equivalent 78 — RWEP shows this is less urgent than CVSS suggests absent confirmed exploitation at scale. Critical contextual risk: any host using IPsec for compliance controls (SC-8/SC-28) cannot claim those controls as compensating controls while this CVE is unpatched — the exploit runs through the IPsec implementation.
+
+---
+
+### CVE-2025-53773 — GitHub Copilot Prompt Injection RCE
+
+| Factor | Value | Points |
+|---|---|---|
+| CISA KEV | No | 0 |
+| PoC Public | Yes (demonstrated) | +20 |
+| AI-Assisted | Yes (AI tooling enables) | +15 |
+| Active Exploitation | Suspected | +10 |
+| Blast Radius | GitHub Copilot users — large developer population | +22 |
+| Patch Available | Yes (GitHub patched) | -15 |
+| Live Patch Available | Yes (SaaS patch) | -10 |
+| Reboot Required | No (SaaS update) | 0 |
+| **RWEP** | | **42** |
+
+**Interpretation:** CVSS 9.6 vs. RWEP 42 — significant divergence. CVSS is high because the worst-case impact is critical RCE. RWEP is lower because there's no CISA KEV listing and exploitation is suspected (not confirmed at scale). The lack of framework coverage for prompt injection as an attack class (no control in any major framework) makes this a critical monitoring gap regardless of the RWEP score.
+
+---
+
+### CVE-2026-30615 — Windsurf MCP Zero-Interaction RCE
+
+| Factor | Value | Points |
+|---|---|---|
+| CISA KEV | No | 0 |
+| PoC Public | Partial | +10 |
+| AI-Assisted | No | 0 |
+| Active Exploitation | Suspected (supply chain targeting) | +10 |
+| Blast Radius | 150M+ AI coding assistant downloads (all affected IDEs) | +30 |
+| Patch Available | Yes | -15 |
+| Live Patch Available | Yes (IDE update) | -10 |
+| Reboot Required | No | 0 |
+| **RWEP** | | **35** |
+
+**vs. CVSS:** CVSS 9.8 vs. RWEP 35 — the largest CVSS/RWEP divergence in the catalog. CVSS is high because zero-interaction network RCE with no-auth is the maximum-severity scenario. RWEP is lower because no CISA KEV, suspected-only exploitation, and the attack requires a malicious MCP server to be installed first (the supply-chain prerequisite is the limiting factor). Key insight: RWEP correctly signals that this is an elevated priority, not an emergency — unlike Copy Fail where RWEP signals emergency regardless of CVSS.
+
+---
+
+## RWEP vs. CVSS Delta Analysis
+
+When CVSS and RWEP diverge significantly, it surfaces important context:
+
+**CVSS high, RWEP low** — Severe vulnerability but low immediate priority:
+- No PoC, no active exploitation, no CISA KEV
+- Patch available with no reboot required
+- Narrow blast radius (specific configuration)
+- Example: An obscure CVSS 9.1 RCE in an enterprise appliance with no public PoC, patched by vendor, affecting 100 customers worldwide
+
+**CVSS moderate, RWEP high** — The dangerous case — framework compliance prioritizes wrong things:
+- CVSS 7.8 → "30-day remediation"
+- RWEP 90 → "patch or live-patch within 4 hours"
+- Example: Copy Fail — CVSS doesn't capture AI-discovered + deterministic + CISA KEV + all Linux
+- Framework compliance that uses CVSS thresholds for SLA will deprioritize Copy Fail relative to a CVSS 9.8 with no public exploit
+
+**High CVSS, moderate RWEP** — CVSS overstates urgency for AI/supply-chain threats:
+- Copilot RCE (CVSS 9.6 / RWEP 42): no KEV, suspected exploitation — important but not emergency
+- Windsurf MCP (CVSS 9.8 / RWEP 35): no KEV, supply-chain prerequisite limits actual exploitation rate
+- RWEP correctly prioritizes Copy Fail (RWEP 90) over Windsurf MCP (RWEP 35) despite Windsurf having higher CVSS
+- Framework compliance that uses CVSS alone will treat Windsurf MCP as MORE urgent than Copy Fail — incorrect
+
+---
+
+## Analysis Procedure
+
+### Step 1: Gather CVE data
+
+For a CVE not in the pre-calculated catalog, collect:
+- NVD CVSS score and vector
+- CISA KEV status (direct lookup)
+- PoC availability (public security databases, researcher announcements)
+- AI-discovery or AI-assisted weaponization (researcher disclosure statements)
+- Active exploitation (CISA KEV, threat intelligence, incident reports)
+- Affected version range (blast radius assessment)
+- Patch availability and reboot requirement
+- Live patch support (kpatch, livepatch, kGraft, vendor live update)
+
+### Step 2: Apply RWEP formula
+
+Calculate factor values (binary 0/1 or scaled 0–1 for blast radius) and apply formula.
+
+### Step 3: Generate remediation timeline
+
+Map RWEP score to required action timeline:
+
+| RWEP | Action | Timeline |
+|---|---|---|
+| 90–100 | Immediate — deploy live patch or isolate | Within 4 hours |
+| 75–89 | Urgent — patch or compensating controls | Within 24 hours |
+| 60–74 | High — patch within standard emergency window | Within 72 hours |
+| 40–59 | Elevated — accelerated patching | Within 7 days |
+| 20–39 | Standard — normal patch cycle | Within 30 days |
+| 0–19 | Low — routine vulnerability management | Next scheduled maintenance |
+
+### Step 4: Framework compliance translation
+
+Translate RWEP-based timeline to framework compliance language:
+- "This CVE has RWEP 90. Per NIST 800-53 SI-2, the organizational SLA is 30 days for High. This SLA is insufficient for a CISA KEV vulnerability with public PoC and confirmed active exploitation. The RWEP-based remediation requirement (4 hours) represents a material gap between SI-2 compliance and actual security posture."
+
+---
+
+## Output Format
+
+```
+## Exploit Priority Assessment
+
+**CVE:** [ID]
+**Assessment Date:** YYYY-MM-DD
+
+### CVSS vs. RWEP
+| Metric | Score | Priority Band |
+|--------|-------|---------------|
+| CVSS | [score] | [None/Low/Medium/High/Critical] |
+| RWEP | [score] | [see table above] |
+| Delta | [RWEP - CVSS×10] | [Explain if significant] |
+
+### RWEP Factor Breakdown
+| Factor | Value | Points |
+|--------|-------|--------|
+| CISA KEV | Yes/No | +25/0 |
+| PoC Public | Yes/No | +20/0 |
+| AI-Assisted | Yes/No | +15/0 |
+| Active Exploitation | Confirmed/Suspected/No | +20/+10/0 |
+| Blast Radius | [description] | [0-15] |
+| Patch Available | Yes/No | -15/0 |
+| Live Patch Available | Yes/No | -10/0 |
+| Reboot Required | Yes/No | +5/0 |
+| **RWEP Total** | | **[score]** |
+
+### Required Action
+**Timeline:** [4h / 24h / 72h / 7d / 30d / routine]
+**Action:** [Live patch / Full patch + reboot / Compensating controls + timeline / Routine]
+
+### Framework Compliance Note
+[If RWEP timeline conflicts with framework SLA: explicit statement of the gap]
+```
+
+---
+
+## Compliance Theater Check
+
+Run this check against any organization claiming vulnerability-management compliance:
+
+> "Pull your vulnerability-management policy. Find the remediation SLA table. Is the SLA anchored on CVSS bands — `Critical: within X days, High: within Y days, Medium: within Z days`? If yes, the policy is theater for the dominant 2026 threat class: AI-discovered, CISA KEV listed LPEs with public PoC scored CVSS 7.8 (High). Under a CVSS-banded SLA, CVE-2026-31431 (Copy Fail) gets the same 30-day clock as a CVSS 7.8 theoretical bug. The actual operational requirement — 4 hours to live-patch or isolate — is invisible to the policy. Re-anchor remediation SLAs on RWEP, not CVSS bands, or demonstrate that CVSS-banded SLAs are augmented by an explicit CISA-KEV-response override with a sub-24h timeline."
+
+> "Open your last quarterly vuln-management metrics report. Does it report `mean time to remediate by CVSS band`? If that is the headline metric, the program optimizes for CVSS-band SLAs, not for actual exploit-priority response. The KPI itself is theater. The honest metric is: for CVEs that crossed RWEP ≥ 75 during the quarter, what was the mean time from RWEP-75 threshold crossing to deployed mitigation? If the org doesn't track RWEP at all, the program has no instrumentation to detect when CVSS-banded SLAs fail — which they do for every CISA KEV + AI-discovered class in `data/cve-catalog.json`."
+
+> "Ask: when CVE-2026-31431 was published, what was the actual time from publication to deployed mitigation across the estate? Compare it to the policy's 30-day High SLA. The org likely met SLA. RWEP 90 required action in 4 hours. The gap between 'met SLA' and 'was exposed for ~30 days to a 732-byte public PoC on CISA KEV' is the size of the theater."