Skip to main content
Proximos does not calculate, request, or independently surface CVE data of its own. The only CVE information that ever appears anywhere in Proximos comes from Nudge and SOFA — when a known CVE score exists for an update, Nudge (drawing on SOFA’s feed) displays it directly inside the Nudge window. Proximos itself doesn’t process, store, or act on that score in any way.

What We Considered

We spent real time researching whether CVE scores should play a larger role in Proximos’s enforcement logic — pulling severity data from SOFA directly, or going straight to CVE.org, and using it to drive the workflow itself. The idea we kept coming back to was tiered enforcement windows: a critical CVE might warrant a tight, 48-hour patch deadline, while a low-severity update could sit on the normal countdown timeline. Tying urgency to known severity sounds like exactly the right way to prioritize patching.

What We Found in Practice

The timing of CVE disclosure doesn’t line up with the timing of an enforcement deadline:
  • A CVE score isn’t always available right away. It can take up to 48 hours after an update ships for that update’s CVE score to be published.
  • Details take even longer. A full description of what a security patch actually fixes may not be published for up to two weeks.
This delay isn’t an oversight — it’s intentional. Publishing exploit details before an update has had time to reach most of the affected fleet would hand attackers a roadmap to the vulnerability while a large share of devices are still unpatched. Disclosing that information on day zero is, by design, exactly the wrong move from a security standpoint. That timing creates a direct contradiction for any policy that ties enforcement deadlines to CVE severity. Imagine a requirement to patch any CVE 9-or-higher update within 48 hours: the score needed to even trigger that 48-hour clock might not exist yet within that window. For a more sensitive exploit, the full write-up might not surface for weeks after that. An enforcement deadline calculated from a CVE score can end up moving after the fact — sometimes to a date that’s already passed by the time the score is published — undermining the very policy it was meant to enforce. On top of the timing problem, the underlying data is hard to work with. CVE information was difficult to source reliably before SOFA existed, and even with SOFA in place, mapping individual CVEs cleanly to a specific macOS version remains inconsistent.

Our Decision

Given these constraints, we’ve chosen to keep CVE scores out of Proximos’s enforcement logic and workflow at this time. Proximos will continue to surface whatever CVE data Nudge and SOFA make available in the Nudge window as informational context, but it won’t drive enforcement timing. Our recommended best practice is simpler, and doesn’t depend on data that may not exist yet: patch every update as quickly as your organization reasonably can, regardless of its eventual CVE score. The Enforce Update On Day setting is what actually controls your enforcement timeline — set it as tight as your compliance requirements demand, and let it run on every update, not just the ones a CVE score happens to flag in time.