New vulnerability rating framework aims to fill in CVSS gaps