Risk Scoring
Understand how BlockSecOps prioritizes vulnerabilities using ML-powered risk scoring. Risk scoring assigns a 0-100 score to each finding based on multiple...
Risk Scoring
Understand how BlockSecOps prioritizes vulnerabilities using ML-powered risk scoring.
What Is Risk Scoring?
Risk scoring assigns a 0-100 score to each finding based on multiple factors. Higher scores indicate higher risk and should be addressed first.
Score Ranges
| Score | Risk Level | Action |
|---|---|---|
| 80-100 | Critical | Fix immediately |
| 60-79 | High | Fix soon |
| 40-59 | Medium | Plan to fix |
| 0-39 | Low | Consider fixing |
Scoring Factors
Exploitability
How easy is it to exploit?
| Factor | Higher Score |
|---|---|
| External function | +20 |
| No access control | +25 |
| Public visibility | +15 |
| Simple exploit path | +20 |
Impact
What's the damage if exploited?
| Factor | Higher Score |
|---|---|
| Fund loss possible | +30 |
| Contract destruction | +25 |
| Access bypass | +20 |
| DoS possibility | +10 |
Confidence
How certain is the finding real?
| Factor | Higher Score |
|---|---|
| Multiple scanners found it | +15 |
| High confidence detector | +10 |
| Clear code pattern | +10 |
Context
What's the surrounding code like?
| Factor | Higher Score |
|---|---|
| High-value contract | +10 |
| No mitigations present | +10 |
| Critical function | +10 |
Score Calculation
Simplified Formula
Base Score (from severity)
+ Exploitability Factors
+ Impact Factors
+ Confidence Adjustments
- Mitigation Deductions
= Final Risk Score
Example
Finding: Reentrancy in withdraw()
Base Score (Critical): 70
+ External function: +10
+ No reentrancy guard: +10
+ Multiple scanners: +5
+ High-value contract: +5
= Risk Score: 100
Using Risk Scores
Prioritization
Sort findings by risk score:
- Fix 80-100 first
- Then 60-79
- Then 40-59
- Finally 0-39
Triage Decisions
| Score | Decision |
|---|---|
| 90+ | Drop everything, fix now |
| 70-89 | Priority for current sprint |
| 50-69 | Schedule for next sprint |
| <50 | Backlog |
Threshold Setting
Set team thresholds:
- "Critical" threshold: 80+
- "Must fix" threshold: 60+
- "CI/CD block" threshold: 70+
Score vs Severity
How They Differ
| Severity | Based On | Risk Score | Based On |
|---|---|---|---|
| Static | Vulnerability type | Dynamic | Full context |
| Scanner-assigned | Detection pattern | ML-calculated | Multiple factors |
When They Disagree
A "High" severity finding might have:
- Low risk score: If well-protected
- High risk score: If exposed
Example: Reentrancy (High severity)
- With nonReentrant guard → Risk: 25
- Without guard → Risk: 85
Viewing Scores
In Findings List
Each finding shows:
[85] Reentrancy in withdraw()
Critical | Token.sol:45
In Finding Detail
The detail view shows:
- Overall score
- Factor breakdown
- Score explanation
Sorting by Score
Click "Risk Score" column header to sort.
Score Factors Explained
Why My Score Is High
High scores result from:
- Dangerous vulnerability type
- Easy exploitation
- Significant impact
- No protections
Why My Score Is Low
Low scores result from:
- Protected code
- Limited impact
- Low confidence
- Mitigation present
Common Score Adjustments
| Situation | Adjustment |
|---|---|
| Admin-only function | -20 |
| ReentrancyGuard present | -30 |
| Unused code path | -40 |
| Multiple protections | -25 |
Improving Scores
Adding Protection
Adding guards lowers risk:
- ReentrancyGuard: -30 points
- Access control: -20 points
- Input validation: -10 points
Documenting Mitigation
If you have protections but score is still high:
- Mark as acknowledged
- Add comment explaining mitigation
- Score adjusts over time
ML Model Details
Training Data
The model is trained on:
- Historical vulnerability data
- Audit reports
- Real-world exploits
- Expert annotations
Accuracy
- ~85% correlation with expert assessment
- Continuously improving
- Regular model updates
Limitations
The model may miss:
- Novel attack patterns
- Project-specific context
- Business logic issues
FAQ
Q: Can I override the risk score?
A: You can't change scores, but you can add context via comments.
Q: How often are scores updated?
A: Scores are calculated per scan. Re-scan to get updated scores.
Q: Do scores affect severity?
A: No. Severity is from scanners. Scores are separate prioritization.
Q: Why did my score change between scans?
A: Code changes, new context, or model updates can affect scores.
Next Steps
- Prioritization - Using scores for fix ordering
- Deduplication - How duplicates are handled
- Managing Findings - Triage workflow