Software:Exploit Prediction Scoring System

From HandWiki
Short description: Information security standard
EPSS
Exploit Prediction Scoring System
Year started2021
Latest versionVersion 4
OrganizationFIRST
DomainInformation security
Websitewww.first.org/epss

The Exploit Prediction Scoring System (EPSS) is a technical standard managed by FIRST for estimating the probability a publicly disclosed software vulnerability will be exploited in the wild within the next 30 days.[1][2] EPSS is complementary to the Common Vulnerability Scoring System.[1] Combining EPSS and CVSS aligns remediation with actual threat activity.[3][4]

Characteristics

Vulnerabilities get assigned a probability value between 0 and 1 that determines the chance of them being exploited in the real world.[5]

History

The original concept and prototype were presented by researchers Michael Roytman, Jay Jacobs, and Sasha Romanosky at Black Hat in 2019.[6] In April 2020 FIRST started a special interest group to develop the standard.[7]

Versions

  • 7 January 2021 – Public publication of daily EPSS scores began (model v1).[8]
  • 4 February 2022 – Version 2 incorporated additional telemetry sources and algorithmic improvements.
  • 7 March 2023 – Version 3 introduced gradient-boosted decision trees and expanded feature sets.
  • 17 March 2025 – Version 4 added contextual threat-intelligence feeds and performance gains.[1]

Adoption

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) encourages using EPSS alongside its Known Exploited Vulnerabilities Catalog for patch triage.[9] Major vulnerability-management platforms, such as Rapid7, Tenable, and Qualys, integrate EPSS scores for risk-based patching.[6] Academic research uses EPSS to model exploit trends and evaluate defenses.[10]

References

  1. 1.0 1.1 1.2 "EPSS Version 4 Released". 17 March 2025. https://www.first.org/epss/. 
  2. Kovacs, Eduard (2025-05-20). "Vulnerability Exploitation Probability Metric Proposed by NIST, CISA Researchers" (in en-US). https://www.securityweek.com/vulnerability-exploitation-probability-metric-proposed-by-nist-cisa-researchers/. 
  3. Jiang, Yuning; Oo, Nay; Meng, Qiaoran; Hoon Wei Lim; Sikdar, Biplab (12 February 2025). "A Survey on Vulnerability Prioritization: Taxonomy, Metrics, and Challenges". arXiv:2502.11070 [cs.CR].
  4. Ravalico, Damiano; Farina, Mauro; Trevisan, Martino; Bartoli, Alberto (2025). "Analysing the Temporal Dynamics of the Exploit Prediction Scoring Systems (Epss)". https://doi.org/10.2139/ssrn.5147459. 
  5. "Exploit Prediction Scoring System (EPSS) Special Interest Group (SIG)" (in en). https://www.first.org/epss/. 
  6. 6.0 6.1 "What Is an EPSS Score?". 10 February 2024. https://www.brinqa.com/glossary/what-is-epss-score/. 
  7. "EPSS Special Interest Group Portal". https://portal.first.org/g/epss-sig. 
  8. "Understanding and Using the EPSS Scoring System". 20 January 2023. https://fossa.com/blog/understanding-using-epss-scoring-system/. 
  9. Parla, Rianna (4 November 2024). "Efficacy of EPSS in High Severity CVEs Found in CISA KEV". arXiv:2411.02618 [cs.CR].
  10. Mell, Peter; Bojanova, Irena; Galhardo, Carlos (1 May 2024). "Measuring the Exploitation of Weaknesses in the Wild". arXiv:2405.01289 [cs.CR].