A CVSS score alone is not a useful triage signal for a medical-device team. A CVSS 9.8 on a back-office library and a CVSS 7.2 on an infusion pump are not equivalent risks, but a generic scoring system treats them that way.
BGC-RS is our attempt to publish a defensible MedTech score in the open. Every number on the Goat Feed is computed by the formula below, against data we display on the same page, so reviewers and customers can replicate or challenge any classification.
The formula
BGC-RS = (CVSS × 0.40) + (Patient-safety × 0.35) + (Exploit-maturity × 0.15) + (MedTech-exposure × 0.10). All four components score 0-10 independently; the final score is rounded to one decimal.
CVSS 4.0 base score when published, falling back to CVSS 3.1 then 3.0. Aligned with FDA's February 3, 2026 premarket cybersecurity guidance preference for CVSS 4.0 reporting. Missing CVSS scores get a neutral 4/10 so that an item without an NVD entry is never inadvertently rated 0.
Inferred from device-class signals in the headline, dek, tags, and vendor record. Tiers: life-threatening (implantables, ventilators, infusion pumps, pacemakers, anesthesia, ECMO), injury (imaging, robotic surgery, dialysis, radiotherapy, CGM/glucose), delay-of-care (EHR/EMR, HL7/FHIR, PACS, pharmacy/medication workflow), or none.
KEV-listed > weaponized > public PoC > none. KEV items receive the full 10 - inclusion in CISA's KEV catalog is direct evidence of in-the-wild exploitation with a federal remediation deadline.
Baseline of 4 (item is in the MedTech feed at all), +3 for network-reachable signals (remote, network, cloud, Bluetooth, Wi-Fi, TLS, SSH, VPN), +2 when a device class is identified, +1 when a vendor slug is resolved.
Tiers
The numeric score maps to a triage tier displayed alongside the headline on every feed item.
- Critical8.5 - 10Same-day triage. Confirmed exploitation or life-threatening clinical potential.
- High7.0 - 8.4Patch within current sprint. Strong technical impact or clinical-injury potential.
- Notable4.0 - 6.9Fold into next compliance cycle. Defensible to defer with documented rationale.
- Info0 - 3.9Background. Track for trend analysis.
Worked examples
KEV - Implantable cardiac monitor with critical CVSS
- CVSS 4.0 = 9.4
- Patient safety = life-threatening (cardiac monitor)
- Exploit = KEV
- Exposure = 9/10 (network-reachable, vendor known)
9.4 × 0.40 + 10 × 0.35 + 10 × 0.15 + 9 × 0.10 = 3.76 + 3.50 + 1.50 + 0.90 = 9.7
9.7 - Critical
NVD CVE - HL7 integration library, no PoC
- CVSS 3.1 = 7.5
- Patient safety = delay-of-care (HL7/FHIR)
- Exploit = none
- Exposure = 7/10 (network signals)
7.5 × 0.40 + 5 × 0.35 + 2 × 0.15 + 7 × 0.10 = 3.00 + 1.75 + 0.30 + 0.70 = 5.8
5.8 - Notable
Linux kernel CVE on a backend server (KEV-listed)
- CVSS 3.1 = 7.8
- Patient safety = none (kernel infra, no device-class match)
- Exploit = KEV
- Exposure = 7/10
7.8 × 0.40 + 2 × 0.35 + 10 × 0.15 + 7 × 0.10 = 3.12 + 0.70 + 1.50 + 0.70 = 6.0
6.0 - Notable
Scope and limits
- BGC-RS is computed for KEV and CVE items only. FDA letters, recalls, and MAUDE events keep their existing severity (critical/notable/info) classification.
- Patient-safety tier is inferred from device-class signals in the source text. We will add an admin override and per-vendor product-line maps in a future revision.
- CVSS 4.0 is preferred when published. NVD coverage of 4.0 is still uneven, so most current items fall back to CVSS 3.1.
- The score is a triage aid, not a substitute for your own SBOM-driven impact analysis or a Section 524B postmarket vulnerability review.
Changelog
- v1.0 - Initial publication. Four-component rubric, KEV/CVE only, auto-inferred patient safety.
See the full Goat Feed methodology for source lists, ingestion cadence, and editorial controls.