Enterprises are confronted with an unprece- dented escalation in cybersecurity vulnerabil- ities, with thousands of new CVEs disclosed each month. Conventional prioritization frame- works such as CVSS offer static severity met- rics that fail to account for exploit probabil- ity, compliance urgency, and operational im- pact, resulting in inefficient and delayed re- mediation. This paper introduces RiskBridge, an explainable and compliance-aware vulner- ability management framework that integrates multi-source intelligence from CVSS v4, EPSS, and CISA KEV to produce dynamic, business- aligned patch priorities. RiskBridge employs a probabilistic Zero-Day Exposure Simulation (ZDES) model to fore- cast near-term exploit likelihood, a Policy-as- Code Engine to translate regulatory mandates (e.g., PCI DSS, NIST SP 800-53) into auto- mated SLA logic, and an ROI-driven Opti- mizer to maximize cumulative risk reduction per remediation effort. Experimental evalua- tions using live CVE datasets demonstrate an 88% reduction in residual risk, an 18-day improvement in SLA compliance, and a 35% increase in remediation efficiency compared to state-of-the-art commercial baselines. These findings validate RiskBridge as a prac- tical and auditable decision-intelligence sys- tem that unifies probabilistic modeling, com- pliance reasoning, and optimization analytics. The framework represents a step toward auto- mated, explainable, and business-centric vul- nerability management in modern enterprise environments

翻译：企业正面临前所未有的网络安全漏洞激增，每月有数千个新CVE被披露。传统的优先级框架（如CVSS）提供静态的严重性度量，未能考虑漏洞利用概率、合规紧迫性和运营影响，导致修复效率低下且延迟。本文提出RiskBridge，一种可解释且具备合规感知的漏洞管理框架，它整合了来自CVSS v4、EPSS和CISA KEV的多源情报，以生成动态的、业务导向的补丁优先级。RiskBridge采用概率性零日暴露模拟（ZDES）模型来预测近期漏洞利用可能性，通过策略即代码引擎将监管要求（如PCI DSS、NIST SP 800-53）转化为自动化的SLA逻辑，并利用ROI驱动的优化器最大化每次修复工作的累积风险降低。使用实时CVE数据集的实验评估表明，相较于最先进的商业基线，RiskBridge实现了88%的残余风险降低、18天的SLA合规性改善以及35%的修复效率提升。这些结果验证了RiskBridge作为一个实用且可审计的决策智能系统，统一了概率建模、合规推理和优化分析。该框架代表了现代企业环境中迈向自动化、可解释且以业务为中心的漏洞管理的重要一步。