Grading Methodology
How RouterCVE calculates security grades for router manufacturers.
Overview
Every manufacturer tracked by RouterCVE receives a letter grade from A+ to F−. The grade reflects the number, severity, and recency of known CVEs (Common Vulnerabilities and Exposures) associated with that manufacturer's products, adjusted for exploit likelihood and trend direction.
Grades update automatically as new CVEs are published or as existing data ages out of the scoring window.
Step 1 — Base Score
Each manufacturer starts with a perfect score of 100 points. Points are deducted for every CVE found in the NVD (National Vulnerability Database) that matches the manufacturer's products. The deduction depends on two factors: the CVE's severity rating and how recently it was published.
| Severity | Last 30 Days | 31 Days – 12 Months | 12 – 24 Months |
|---|---|---|---|
| Critical | −20 | −10 | −5 |
| High | −12 | −6 | −3 |
| Medium | −6 | −3 | −1.5 |
| Low | −2 | −1 | −0.5 |
Recent vulnerabilities carry the heaviest penalties because they represent the most immediate risk. A critical CVE from the last 30 days costs four times as much as the same CVE would after a year.
Step 2 — EPSS Exploit Multiplier
The EPSS (Exploit Prediction Scoring System) from FIRST.org estimates the probability that a CVE will be exploited in the wild within the next 30 days. The EPSS score adjusts each CVE's penalty in both directions:
| EPSS Score | Multiplier | Effect |
|---|---|---|
| Above 0.5 (50%+) | 1.5× | Penalty increased by 50% — high exploit likelihood |
| 0.05 to 0.5 | 1.0× | No adjustment — standard penalty |
| Below 0.05 (<5%) | 0.5× | Penalty reduced by 50% — very low exploit likelihood |
For example, a critical CVE from the last 30 days normally costs 20 points. If its EPSS score is above 0.5, it costs 30 points. If its EPSS score is below 0.05, it costs only 10 points. This ensures that theoretical vulnerabilities with little real-world exploit activity weigh less heavily than those actively being exploited.
Step 3 — Patch Status Discount
CVEs with a known patch or fix receive a significant discount, reflecting the reduced real-world risk once a fix is available. A vulnerability that has been patched is far less dangerous than one that remains open.
| Patch Status | Multiplier | Effect |
|---|---|---|
| Patched (confirmed fix available) | 0.25× | Penalty reduced by 75% |
| Unpatched (no known fix) | 1.0× | Full penalty applies |
Patch status is determined automatically using three signals: structured version-range data from the NVD (such as versionEndExcluding), patch flags in our CVE-to-model mapping database, and common patch-related phrases in the CVE description (e.g. “fixed in”, “patched in”, “upgrade to”).
For example, a critical CVE from the last 30 days with a high EPSS score would normally cost 30 points. If that CVE has a confirmed patch, the penalty drops to just 7.5 points. This rewards manufacturers who respond quickly with fixes.
Step 4 — Letter Grade
After all deductions, the remaining score (floored at 0) maps to a base letter grade:
| Score Range | Grade |
|---|---|
| 95 – 100 | A+ |
| 90 – 94 | A |
| 85 – 89 | A− |
| 80 – 84 | B+ |
| 70 – 79 | B |
| 60 – 69 | C |
| 50 – 59 | D |
| Below 50 | F |
Step 5 — Trend Adjustment
The final grade can shift up or down by one notch based on whether the manufacturer's security posture is improving or deteriorating.
RouterCVE compares the weighted severity sum of CVEs from the last 12 months against the prior 12 months (months 13–24). The severity weights used for trend calculation are:
| Severity | Weight |
|---|---|
| Critical | 5.0 |
| High | 3.0 |
| Medium | 1.5 |
| Low | 0.5 |
The trend is then determined by the percentage change between the two periods:
| Change | Trend | Effect |
|---|---|---|
| More than 25% decrease | Getting Better ↑ | Grade shifts up one notch (e.g. B → B+) |
| Within ±25% | Stable – | No change |
| More than 25% increase | Getting Worse ↓ | Grade shifts down one notch (e.g. B → B−) |
This is how grades like B−, C+, D+, and F+ are produced — they only come from the trend adjustment, not directly from the score.
Step 6 — Too New to Rate
Manufacturers that have been in business for fewer than 3 years and have fewer than 5 total CVEs on record receive a grade of NR (Not Rated) instead of a letter grade. This prevents brand-new companies from receiving artificially high grades simply because their products have not yet been widely scrutinized by security researchers.
Once a manufacturer crosses the 3-year threshold or accumulates enough CVE history, a standard letter grade replaces the NR designation automatically.
Data Sources
All vulnerability data is sourced from the National Vulnerability Database (NVD) maintained by NIST. EPSS scores are provided by FIRST.org. RouterCVE ingests updated data daily.
Important Context
More CVEs does not necessarily mean less secure. Vendors who invest in dedicated security teams, run bug bounty programs, and actively invite researchers to audit their products will naturally accumulate more CVEs than vendors who do none of these things. A vendor with zero CVEs may simply have no security researchers looking at their products. The absence of CVEs can reflect obscurity, not safety.
RouterCVE grades measure the volume and severity of publicly known vulnerabilities. They are one data point — useful for awareness and comparison — but they do not capture the full picture of a vendor's security posture.
Limitations
This grading system measures known, publicly disclosed vulnerabilities. It does not currently account for:
- Vendor response time — while patched CVEs now receive a 75% penalty discount, the speed of the patch response is not yet factored in
- Third-party component vulnerabilities — CVEs filed under open-source libraries (e.g., OpenSSL, Linux kernel) that may affect router products are not attributed to the router vendor
- Real-world exploitability — a vulnerability in a web management interface only matters if that interface is exposed, but all CVEs are weighted equally regardless of configuration
- Portfolio size — a vendor with 50 router models over 15 years will naturally have more CVEs than one with 2 models
RouterCVE is most useful for comparing manufacturers of similar scale and product category. We continue to refine the grading model as more data signals become available.