Skip to content

EPSS#

EPSS (Exploit Prediction Scoring System) represents "the probability that a vulnerability will be exploited within the next 30 days". It is a score indicating the threat level of a vulnerability, and is published by FIRST.

In its "January 2024 release", FutureVuls incorporated EPSS information.

Overview#

EPSS consists of a Score and a Percentile. The meaning of each value is as follows.

Item Details
Score Represents the probability that the vulnerability will be exploited within the next 30 days.
The higher the value, the higher the probability of exploitation and the more threatening the vulnerability.
Percentile Represents the proportion of vulnerabilities whose EPSS score is lower than that of the target.
The higher the value, the higher the threat level of this vulnerability relative to others.

Note that EPSS is only an indicator that quantitatively shows the threat level of a vulnerability; it does not represent the risk posed by the vulnerability. This is similar to how the CVSS Base Score indicates only the severity of a vulnerability and does not represent the actual risk.

For how to think about risk, please refer to this "blog article". Even if the EPSS score is high, it is possible that the impact is not severe, or that there is no adverse effect on your own organization.

An Example of Using EPSS as a Triage Indicator#

This section introduces a way to treat EPSS as one of your triage indicators. The basic idea is to use a vulnerability triage indicator such as SSVC as the foundation, and to use EPSS as a supplementary indicator.

Specifically, here are some examples.

Further Prioritization Within Immediate#

Among the vulnerabilities classified as Immediate, respond first to those with a high EPSS score.

SSVC Priority lets you classify vulnerability response priorities into four levels, but the number of vulnerabilities classified as Immediate may exceed the number you can handle. In that case, you can use the EPSS score as a supplementary indicator to further sort within Immediate by score and decide the response priority.

Complementing SSVC Judgments#

Among the tasks classified as Scheduled or Defer, make those with a high EPSS score targets for response.

On rare occasions, there may be vulnerabilities whose SSVC Priority is not urgent—such as Scheduled or Defer—but whose EPSS score is high. This is because, although no attack or the like has been observed at present, the score is calculated to be high based on attack information that is not publicly available or on past experience. Note that because EPSS is based on a machine learning model, the basis for this score is a black box. You can stay on guard—thinking "the risk is not high at present, but the EPSS score is high for unknown reasons, and the future threat level may become high"—and respond proactively.

Learn More About EPSS#

The blogs below explain the details of EPSS and how to use it.

Type URL Notes
Blog Introduction to EPSS
Blog In-Depth Guide to EPSS
Blog Explanation of Strategies and Frameworks for Vulnerability Response