Firmware Risk Score Calculator

General

Quantify firmware security risk across your device fleet in seconds. Enter CVE count, patch lag, SBOM coverage, and internet exposure to get a scored risk rating from 0 to 100.

Last updated: April 2026

This calculator is designed for real-world usage based on typical engineering scenarios and publicly available documentation.

The firmware risk score calculator helps security engineers, product security teams, and IoT architects quantify how exposed a firmware build is to exploitation. It combines four independently measurable signals — unpatched CVEs, patch staleness, SBOM completeness, and network exposure — into a single 0–100 score with a Low / Medium / High / Critical label. Firmware security is notoriously hard to track because vulnerabilities span layers: bootloader, kernel, third-party libraries, and application code. Without a composite score, teams end up with spreadsheets that disagree on priority. A standardised score makes it possible to compare risk across product lines, communicate urgency to management, and gate release pipelines. This calculator is especially useful during pre-release security reviews, after a CVE advisory, or when establishing a baseline before a CRA or IEC 62443 audit. Use the score alongside your SBOM coverage and patch SLA metrics for a complete picture.

How the Firmware Risk Score Calculator Works

1. Enter the number of critical CVEs affecting the firmware build (each adds up to 5 points, capped at 40). 2. Enter how many days have passed since the last firmware patch — older builds score higher (capped at 30 points). 3. Enter your SBOM coverage percentage — the lower the coverage, the more unknown dependencies raise the score (up to 20 points). 4. Enter the percentage of devices in the fleet that are internet-facing — direct exposure adds up to 10 points. 5. The four sub-scores sum to a total risk score from 0 to 100, mapped to Low (≤25), Medium (26–50), High (51–75), or Critical (76–100).

Formula

Risk Score = CVE Score + Patch Score + SBOM Score + Exposure Score

CVE Score      = min(Critical CVEs × 5,  40)
Patch Score    = min(Days Since Patch / 365 × 30, 30)
SBOM Score     = (100 − SBOM Coverage %) / 100 × 20
Exposure Score = Internet-Facing % / 100 × 10

Risk Level:
  0–25  → Low
  26–50 → Medium
  51–75 → High
  76–100 → Critical

Example Firmware Risk Score Calculations

Example 1 — Well-maintained industrial gateway

Critical CVEs:    1  →  1 × 5        =  5.0  pts
Days since patch: 30  →  30/365 × 30 =  2.5  pts
SBOM coverage:   90%  →  10/100 × 20 =  2.0  pts
Internet-facing: 10%  →  10/100 × 10 =  1.0  pts
                                         ──────────
Risk Score: 11   →   Risk Level: Low

Example 2 — Neglected consumer IoT camera

Critical CVEs:    4  →  4 × 5        = 20.0  pts
Days since patch: 365 →  365/365 × 30 = 30.0  pts
SBOM coverage:   40%  →  60/100 × 20 = 12.0  pts
Internet-facing: 80%  →  80/100 × 10 =  8.0  pts
                                         ──────────
Risk Score: 70   →   Risk Level: High

Example 3 — Critical infrastructure controller post-advisory

Critical CVEs:   10  →  min(50, 40)  = 40.0  pts  (capped)
Days since patch: 700 →  min(57.5, 30) = 30.0  pts  (capped)
SBOM coverage:   20%  →  80/100 × 20 = 16.0  pts
Internet-facing: 50%  →  50/100 × 10 =  5.0  pts
                                         ──────────
Risk Score: 91   →   Risk Level: Critical

Tips to Reduce Firmware Risk Score

› Patch within 30 days of a critical CVE advisory — patch staleness is the fastest-moving variable in the score and compounds exponentially with exposure.
› Aim for ≥90% SBOM coverage before release. Use tools like Syft, SPDX, or CycloneDX to auto-generate SBOMs from build artifacts and catch unknown dependencies early.
› Segment internet-facing devices behind a VPN or device management gateway to reduce direct exposure. Cutting internet-facing percentage from 80% to 20% saves 6 points alone.
› Use the <a href="/calculators/cve-exposure-calculator">CVE Exposure Calculator</a> to prioritise which vulnerabilities to patch first based on CVSS score and affected device count.
› Track patch SLA compliance with the <a href="/calculators/patch-sla-calculator">Patch SLA Calculator</a> — late patches are the single biggest driver of high risk scores across fleets.
› Automate OTA update delivery so patch lag never exceeds 90 days. Check your OTA readiness with the <a href="/calculators/ota-compliance-checker">OTA Compliance Checker</a>.

Notes

› Results are estimates and may vary based on actual usage.
› Always validate against your production environment.

Frequently Asked Questions

What is a firmware risk score? +

A firmware risk score is a composite 0–100 number that summarises how exposed a firmware build is to exploitation. It combines unpatched vulnerability count, patch staleness, SBOM completeness, and network exposure. Teams use it to prioritise remediation, communicate risk to stakeholders, and gate releases against a defined threshold before shipping.

How many critical CVEs make firmware high risk? +

In this model, 8 or more critical CVEs alone push the CVE sub-score to its cap of 40 points. Combined with even moderate patch lag and partial SBOM coverage, 3–5 critical CVEs can produce a High (51–75) score. Patch critical CVEs within 30 days to keep the CVE sub-score below 15 points.

Why does SBOM coverage affect risk score? +

An incomplete SBOM means unknown third-party dependencies that may carry untracked CVEs. If you cannot list what is in the firmware, you cannot know what is vulnerable. Low SBOM coverage is a proxy for blind spots: a build with 40% coverage may have 60% of its components completely unaudited, making the actual CVE count unknowable.

What is a good firmware risk score for shipping a product? +

A score of 25 or below (Low) is the target for consumer and industrial products before release. Many CRA and IEC 62443 frameworks implicitly require this: no known critical unpatched CVEs, firmware updated within 90 days, SBOM coverage above 85%, and internet-facing exposure minimised or proxied.

How does internet-facing percentage affect firmware risk? +

Devices directly reachable from the internet have a vastly larger attack surface than LAN-only or air-gapped devices. Even a firmware build with zero critical CVEs today becomes riskier as new vulnerabilities are discovered if the device is publicly accessible. Use network segmentation, VPNs, or reverse proxies to reduce this sub-score component.