Putting custom vulnerability priorities into RedSeal
While RedSeal is our primary vulnerability analysis platform, we've hit limits using standard CVSS V2 scores for prioritization (they don't reflect our threat model, Heartbleed was only a CVSS 5, problems with distribution of scores, etc.). To address this, I've created, with help from some independent researchers, VulnPryer (https://github.com/SCH-CISM/vulnpryer). VulnPryer takes a feed of vulnerability information and adjusts the scores in a user-defined way to ensure that scores are reflective of what matters to you and your organization. Are you concerned about script kiddies with a copy of Metasploit? VulnPryer has default rules to prioritize vulns with public exploit code.
Best of all, the standard VulnPryer code is explicitly targeted at feeding this data back into RedSeal via a customized TRL (RS 8.0 has some interesting features to make this even easier). Check it out, open issues, give feedback, make it your own!