Prioritization

Smart ordering of vulnerability fixes using intelligence features.

What Is Smart Prioritization?

Smart prioritization helps you decide what to fix first by combining:

• Risk scores
• Severity levels
• Vulnerability relationships
• Effort estimates

---

Prioritization Factors

Risk Score (Primary)

The ML-computed risk score (0-100) is the primary factor:

• Higher scores = higher priority
• Based on exploitability, impact, confidence

Severity (Secondary)

Traditional severity as tiebreaker:

• Critical > High > Medium > Low

Related Findings

Some fixes address multiple issues:

• Root cause analysis
• Fix once, resolve many

Effort Estimate

Simple vs complex fixes:

• Quick wins first when similar risk
• Save complex fixes for later

---

Prioritization Strategies

Risk-First (Default)

Sort by risk score, highest first:

1. [95] Reentrancy in withdraw()
2. [87] Missing access control
3. [72] Integer overflow
4. [45] Floating pragma

Best for: Maximum security impact.

Quick-Wins

Fix easy high-value issues first:

1. [72] Floating pragma (5 min fix)
2. [65] Missing event (5 min fix)
3. [95] Reentrancy (30 min fix)

Best for: Rapid improvement.

By Function

Group by affected function:

withdraw():
  - Reentrancy [95]
  - Missing event [45]

transfer():
  - Unchecked return [72]

Best for: Focused refactoring.

By File

Group by source file:

Token.sol:
  - Reentrancy [95]
  - Integer overflow [72]

Vault.sol:
  - Access control [87]

Best for: File-by-file review.

---

Recommended Fix Order

Step 1: Critical Risks (Score 80+)

These could be exploited now:

• Fix immediately
• Don't deploy until resolved
• Consider pausing if deployed

Step 2: High Risks (Score 60-79)

Significant vulnerabilities:

• Fix before next deployment
• Include in current sprint
• May need design changes

Step 3: Medium Risks (Score 40-59)

Should be addressed:

• Plan for near-term fix
• May be acceptable short-term
• Document if deferring

Step 4: Low Risks (Score <40)

Minor issues:

• Fix when convenient
• Good for cleanup sprints
• Often quick wins

---

Root Cause Analysis

What It Is

Some findings share a root cause:

• Fixing one fixes many
• More efficient remediation

Example

Root Cause: Missing access control on admin functions

Related Findings:
- [87] withdraw() lacks access control
- [85] setFee() lacks access control
- [83] pause() lacks access control

Fix: Add Ownable pattern → Resolves all 3

Using Root Cause

1. Look for related findings
2. Identify common fix
3. Address root cause
4. Verify all related findings resolved

---

Effort Estimation

Complexity Indicators

Indicator	Typical Effort
One-line fix	5 minutes
Function change	30 minutes
Pattern change	1-2 hours
Architecture change	Days

Balancing Risk and Effort

Risk	Easy Fix	Hard Fix
High	Fix immediately	Plan carefully, fix soon
Low	Quick win	Backlog

---

Dashboard View

Priority Queue

The dashboard shows a priority queue:

Fix Next:
1. [95] Reentrancy in withdraw()
2. [87] Missing access control
3. [72] Integer overflow

Quick Wins:
1. [65] Missing event
2. [45] Floating pragma

Progress Tracking

Track your progress:

• Findings fixed today
• Trend over time
• Remaining by priority

---

Team Prioritization

Assignment by Priority

Assign based on priority and expertise:

• Senior devs: High complexity, high risk
• Junior devs: Quick wins, lower risk

Sprint Planning

Use prioritization for sprint planning:

1. Sort by priority
2. Estimate effort
3. Allocate to sprint
4. Track completion

---

Automated Prioritization

CI/CD Integration

Block PRs based on priority:

• Block on score > 80
• Warn on score > 60
• Allow score < 60

Notifications

Get alerted on high-priority findings:

• Email for Critical
• Slack for High
• Dashboard for all

---

Customizing Priority

Adjusting Weights

Enterprise plans can adjust:

• Risk score weight
• Severity weight
• Custom factors

Business Context

Consider:

• Contract TVL
• Deployment timeline
• Audit schedule
• Business impact

---

FAQ

Q: Should I always fix highest priority first?
A: Generally yes, but consider quick wins and root causes.

Q: Can I customize the prioritization?
A: Sort and filter options let you view different orders. Custom weights on Enterprise.

Q: How do I handle many high-priority findings?
A: Focus on root causes. Group related issues. Consider pausing deployment.

Q: Does priority change over time?
A: Risk scores are recalculated each scan. Context can change priority.

---

Next Steps

• Risk Scoring - Understanding scores
• Managing Findings - Triage workflow
• CI/CD Integration - Automated priority enforcement