EPSS version 2 is out (by Feb 04, 2022).
Exploit Prediction Scoring System (EPSS) is a data-driven effort for estimating the likelihood (probability) that vulnerabilities will be exploited in the wild. It collects ground-truth information such as how often vulnerabilities are being exploited in the wild and comparing that with attributes of each vulnerability.
The goal of EPSS v2 is to estimate the probability of observing exploitation for CVE in the next 30 days.
Objectives:
- Centralized (data collection, scoring and API driven)
- Performant (outperform other scores and EPSSv1)
Comparing CVSSv3 and EPSS Coverage
We all know select a right remediation strategy is so important. Here, we can compare the remediation strategy and the efficiency, by using different scoring system.
Comparison by Coverage: CVSSv3 Vs EPSSv2 |
Scoring | Strategy | Efficiency | ||
---|---|---|---|---|
Threshold | Effort | Coverage | ||
CVSS v3 | 8.8+ | 253/1000 | 50.7% | 5.0% |
EPSS v1 | 0.066+ | 93/1000 | 51.2% | 12.9% |
EPSS v2 | 0.149+ | 47/1000 | 50.9% | 42.5% |
With the right strategy, we can balance it against the reality of time,money, and energy needed to remediate.
Links: