Software:Exploit Prediction Scoring System
| Exploit Prediction Scoring System | |
| Year started | 2021 |
|---|---|
| Latest version | Version 4 |
| Organization | FIRST |
| Domain | Information security |
| Website | www |
The Exploit Prediction Scoring System (EPSS) is a technical standard managed by FIRST for estimating the probability a publicly disclosed software vulnerability will be exploited in the wild within the next 30 days.[1][2] EPSS is complementary to the Common Vulnerability Scoring System.[1] Combining EPSS and CVSS aligns remediation with actual threat activity.[3][4]
History
The original concept and prototype were presented by researchers Michael Roytman, Jay Jacobs, and Sasha Romanosky at Black Hat in 2019.[5] In April 2020 FIRST started a special interest group to develop the standard.[6]
Versions
- 7 January 2021 – Public publication of daily EPSS scores began (model v1).[7]
- 4 February 2022 – Version 2 incorporated additional telemetry sources and algorithmic improvements.
- 7 March 2023 – Version 3 introduced gradient-boosted decision trees and expanded feature sets.
- 17 March 2025 – Version 4 added contextual threat-intelligence feeds and performance gains.[1]
Adoption
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) encourages using EPSS alongside its Known Exploited Vulnerabilities Catalog for patch triage.[8] Major vulnerability-management platforms, such as Rapid7, Tenable, and Qualys, integrate EPSS scores for risk-based patching.[5] Academic research uses EPSS to model exploit trends and evaluate defenses.[9]
References
- ↑ 1.0 1.1 1.2 "EPSS Version 4 Released". 17 March 2025. https://www.first.org/epss/.
- ↑ Kovacs, Eduard (2025-05-20). "Vulnerability Exploitation Probability Metric Proposed by NIST, CISA Researchers" (in en-US). https://www.securityweek.com/vulnerability-exploitation-probability-metric-proposed-by-nist-cisa-researchers/.
- ↑ Jiang, Yuning; Oo, Nay; Meng, Qiaoran; Hoon Wei Lim; Sikdar, Biplab (12 February 2025). "A Survey on Vulnerability Prioritization: Taxonomy, Metrics, and Challenges". arXiv:2502.11070 [cs.CR].
- ↑ Ravalico, Damiano; Farina, Mauro; Trevisan, Martino; Bartoli, Alberto (2025). "Analysing the Temporal Dynamics of the Exploit Prediction Scoring Systems (Epss)". https://doi.org/10.2139/ssrn.5147459.
- ↑ 5.0 5.1 "What Is an EPSS Score?". 10 February 2024. https://www.brinqa.com/glossary/what-is-epss-score/.
- ↑ "EPSS Special Interest Group Portal". https://portal.first.org/g/epss-sig.
- ↑ "Understanding and Using the EPSS Scoring System". 20 January 2023. https://fossa.com/blog/understanding-using-epss-scoring-system/.
- ↑ Parla, Rianna (4 November 2024). "Efficacy of EPSS in High Severity CVEs Found in CISA KEV". arXiv:2411.02618 [cs.CR].
- ↑ Mell, Peter; Bojanova, Irena; Galhardo, Carlos (1 May 2024). "Measuring the Exploitation of Weaknesses in the Wild". arXiv:2405.01289 [cs.CR].
External links
 |  |
