Pakkit.net
← Back to blog

Security

Patch the Class, Not the CVE

A weekly vulnerability report looks like hundreds of unique problems, but it's really a handful of recurring classes — and triaging by class, leading with the genuinely remote-exploitable, beats playing whack-a-mole with individual CVE numbers.

  • Security
  • Vulnerability Management
  • Operations
  • Systems Thinking

A weekly vulnerability report arrives looking like hundreds of distinct emergencies. Stare at it long enough and the illusion breaks: it’s not hundreds of problems, it’s a handful of classes of problem, repeated across many hosts and re-printed every week. The work that actually moves risk down isn’t chasing individual CVE numbers — it’s recognizing which class each finding belongs to, leading with the one class that’s genuinely dangerous, and refusing to re-litigate the classes you’ve already handled. Patch the class, not the CVE.

The report is a few buckets wearing a thousand names

Sort a real vulnerability export by root cause and the long scary list collapses into a short one:

  • Operating-system package age. The bulk of findings, almost always. They arrive as bundles of dozens of CVEs that all close with a single OS update. The individual CVE numbers change every week; the remediation never does — update the package, reboot, rescan.
  • Detection artifacts. Findings the scanner reports based on how it detects, not on real exposure — the banner-versus-backported-fix pattern and its relatives. Mostly noise, once validated.
  • Genuinely remote-exploitable services. The small, scary minority: pre-auth remote code execution in network-facing services. These are the real fire.
  • Already-dispositioned re-notifications. Findings that already carry a risk exception or an open remediation ticket, re-surfaced as if new.

Four buckets. Once you see them, you stop reacting to a thousand line items and start managing four kinds of work — three of which are mostly mechanical.

A vulnerability report isn’t a to-do list of unique tasks. It’s the same few categories, reprinted weekly. Triage the categories.

Lead with what’s actually remote-exploitable

The dangerous mistake is treating the report as uniformly urgent, because then the genuinely critical items — the pre-auth, network-facing RCEs — drown in a sea of kernel-bundle noise. Severity labels don’t save you here; a pile of “high” OS findings can bury the one “high” that an unauthenticated attacker can actually reach over the network.

So the first pass every week is: which of these can someone exploit remotely, without credentials, against a service that’s actually listening? That short list leads. Everything else — the kernel bundles, the detection artifacts — is real work but not emergency work, and conflating the two means the emergency waits behind the chores. Prioritization is the entire value-add of triage; lead with the findings where the gap between “flagged” and “exploited” is smallest.

Most “new” findings aren’t new work

The most useful and least intuitive realization: in a typical week, the large majority of “new high-severity findings” are not new work at all. They already have a risk exception filed, or an open remediation ticket, or they’re a known detection artifact — and many have been open for over a year. The scanner doesn’t know any of that; it just re-reports everything it still sees.

So the right weekly move, most of the time, is not to patch or investigate — it’s to point back at the disposition that already exists. “This one’s covered by exception X.” “This one’s tracked in ticket Y.” “This one’s the known false positive.” That requires tracking dispositions over time so you can point back, which is its own small discipline, but it’s the thing that converts an overwhelming weekly flood into a short list of genuinely new items. The hard part isn’t the patching; it’s not re-doing work that’s already done.

Fix the class once, reuse the playbook forever

When something does need remediating, fix it at the level of the class, not the instance. The OS-package-age bucket is the clearest example: the remediation is the same every single week — snapshot the machine, update the package, reboot, request a rescan — even though the specific CVEs differ. So you write that playbook once, with the version matrix and the rollback steps, and reuse it. You don’t re-derive “how do I patch a kernel” each time a new bundle of kernel CVEs appears.

That’s the efficiency the class-based view unlocks. Individual CVEs are ephemeral; the classes are stable, and stable things deserve a reusable response. Spending your scarce attention re-investigating instances of a class you already understand is how vulnerability management becomes a soul-crushing treadmill instead of a manageable routine.

The mindset: categories are stable, instances are noise

Step back and it’s a general pattern-recognition lesson that happens to live in security. Faced with a flood of individual items, the leverage is in finding the small number of underlying categories and building a response per category: mechanical playbook for the routine classes, fast disposition-lookup for the re-notifications, and your real human attention reserved for the genuinely new, genuinely exploitable few.

The CVE numbers are designed to make every week feel unique and urgent. They’re mostly not. Learn your classes, automate the responses to the boring ones, point back at what’s already handled, and aim your actual judgment at the short list that deserves it. That’s the difference between managing vulnerabilities and being managed by them. If you’ve built your own class-based triage and have opinions on where the line sits, I’m easy to reach.