Skip to content
Fluid Attacks Development Portal

Prioritizes

Identify the most commonly used libraries among our clients, the CVEs associated with them, and analyze their characteristics using AI and ranking algorithms to prioritize them based on impact and criticality. This prioritization guides Skims developers in creating methods that maximize coverage in the shortest time.

Public Oath

At Fluid Attacks, we are committed to responsible AI-driven vulnerability analysis. As part of this commitment, Prioritizes emphasizes security and transparency in CVE classification and prioritization.

Prioritizes will always adhere to the following principles:

  • Focus on widely used packages without associating CVEs with specific users or organizations.
  • Share only publicly available CVE information with AI services, ensuring no private or customer-specific data is included.
  • Ensure that no sensitive, private, or customer-specific information is used, stored, or processed at any stage of operation.

We continuously refine our AI models to improve accuracy while maintaining a secure and privacy-conscious vulnerability analysis process.

Architecture

Architecture-light Architecture-dark
  1. Scheduled Execution: An AWS EventBridge schedule triggers an AWS Batch job daily, which internally runs the Prioritizes CLI.
  2. Data Retrieval: The Prioritizes CLI queries an internal OpenSearch database to retrieve data on CVEs that impact a larger number of libraries and their versions used by our clients.
  3. CVE Classification: An OpenAI assistant is used to evaluate whether a CVE meets the necessary characteristics for its detection to be automated in a Skims method.
  4. CVE Prioritization: Candidate CVEs are ranked using an algorithm that prioritizes those with higher severity and a greater impact on widely used libraries, while assigning lower priority to those with less impact.
  5. Results Storage: Prioritized CVEs are stored in a private Google Sheets document that Skims developers have access to.
  6. Method Implementation: With this prioritization, developers can focus on implementing Skims methods for CVEs that have the greatest impact on the most widely used libraries, accelerating coverage of critical vulnerabilities.

Data Security and Privacy

OpenAI

The data transmitted to OpenAI for CVE analysis is primarily sent via the OpenAI API; therefore it is the main focus of this section.

At no point is confidential information sent, not even statistical data such as the number of clients affected by a vulnerable dependency. Only data related to specific CVEs, which can be found in public repositories like NVD, is sent.

Privacy

  • OpenAI protects the privacy of enterprise customer data by ensuring API-processed content is not used for training models. Data use is governed by specific contracts with customers. (OpenAI Privacy Policy)
  • Currently the servers used by OpenAI are located in the United States, however they have plans for global expansion in the future. (Infrastructure).

Security and Compliance

  • OpenAI’s physical security is managed by Azure, and Azure’s facilities follow the guidelines of its corporate security program, established policies, and procedures. (Physical Security)
  • The data retention period for data transmitted through the API may vary depending on certain conditions. For the specific use case of Prioritizes, the retention period is 30 days. After this period, the data will be deleted unless exceptional legal reasons prevent its removal. (How we use your data)
  • The data sent to OpenAI is encrypted at rest with AES-256 and in transit using TLS 1.2, both between OpenAI and customers, and between OpenAI and service providers.
  • OpenAI holds compliance certifications for CCPA, CSA STAR, GDPR, SOC 2, SOC 3, and TX-RAMP.