BCS Scoring
BCS (BreachSpider Confidence Score) is BreachSpider's proprietary vulnerability priority score for ICS/OT environments. Scale: 0.0-10.0. Proprietary to CITED Relevance LLC.
Why BCS Exists
CVSS measures severity in isolation. EPSS measures exploitation probability. Neither is designed for ICS/OT triage priorities.
BCS combines both signals with ICS-specific context:
- A CVSS 6.0 vulnerability in a KEV-listed Modbus gateway should rank above a CVSS 9.0 desktop OS vulnerability with no exploits.
- A CVE affecting a PLC running PROFINET in a water treatment plant carries different operational risk than the same CVE affecting a Windows server.
BCS reflects these realities.
Score Tiers
| Tier | Range | Action |
|---|---|---|
| CRITICAL | 9.0 - 10.0 | Patch within 24-48 hours, escalate immediately |
| HIGH | 7.0 - 8.9 | Patch within the current sprint or maintenance window |
| MEDIUM | 4.0 - 6.9 | Track and patch at next scheduled maintenance |
| LOW | 0.0 - 3.9 | Address in routine patch cycle |
Factors
| Factor | Weight Direction |
|---|---|
| CVSS base score | Foundation |
| KEV flagged | Strong increase |
| Functional public exploit | Strong increase |
| PoC available | Moderate increase |
| ICS relevance score >= 0.7 | Increase |
| Patch available | Moderate decrease |
| EPSS percentile >= 0.90 | Increase |
BCS in the API
BCS appears in both list and detail responses:
"bcs_score": 10.0,
"scoring": {
"bcs": {
"score": 10.0,
"tier": "CRITICAL",
"factors": {
"kev_flagged": true,
"poc_available": true,
"has_public_exploit": false,
"patch_available": true,
"ics_relevance": 0.94
}
}
}
Filtering by BCS
# CVEs with BCS >= 8.0
curl -H "Authorization: Bearer bs_live_..." \
"https://breachspider.com/api/v1/cves?bcs_min=8.0"