Site Icon What Should I Patch?

About this site

Hi, welcome to whatshouldipatch.com! I'm Arun, and I made this website.

Here, we bring together information on CVEs (these are security issues) from three big sources: the National Vulnerability Database (NVD), the Exploit Prediction Scoring System (EPSS), and the Cybersecurity and Infrastructure Security Agency (CISA) every day. Then, we suggest which CVEs you should fix first.

The ranking is based on presence in the KEV list, use in ransomware, CVSS scores and the CVE base scores.

But, don't rely on this alone. You should also think about things specific to your organization, like:

  • Can this be accessed from the internet?
  • How connected is the affected system to others?
  • How important is the data it holds?

Use this info to create a patching plan that fits your needs.

The data on WhatShouldIPatch.com is updated daily and you could get the full data as an Excel from the Download page.

I'd really like to know what you think! If you need a hand or have ideas to improve the site or additional sources you would like to see, feel free to contact me on LinkedIn.

P.S.: Just so you know, we're not connected with First.org, NIST, or CISA.