Aug 17, 2022

Limitation in EPSS

The EPSS model was initiated in 2019 in parallel with the criticisms of the Common Vulnerability Scoring System (CVSS) in 2018.

EPSS is a measure of exploitability of an CVE in the next 30 days. It is best used when there is no other evidence of active exploitation. 

EPSS should not be treated as a complete picture of risk, but it can be used as one of the inputs into risk analyses.

EPSS version 2, released in February 2022. This latest release has created a lot of excitement around EPSS, especially since improvements to CVSS (version 4) are still being developed.

This blog post at Carnegie Mellon University evaluates the pros and cons of the Exploit Prediction Scoring System (EPSS), which is a data-driven model designed to estimate the probability that software vulnerabilities will be exploited in practice.

The author has a few concerns about EPSS and has raised these concerns. The two general spheres of problems include the problems due to model opacity and problems stemming from the details of data provenance. This means any vulnerability analysis or risk management process cannot rely on EPSS only, and EPSS cannot replace any existing threat intel process by itself. Currently, EPSS v2 is useful in some restricted scenarios only.

EPSS Opacity

The EPSS target audience, development process, and future governance are opaque.

EPSS uses machine learning to predict exploitation probabilities for each CVE ID. This reliance on pre-existence of a CVE ID, is one reason why EPSS is not useful to software suppliers, CSIRTs, and many bug bounty programs. 

Most of those stakeholders need to prioritize vulnerabilities that either do not have public CVE IDs or are types of vulnerabilities that never receive CVE IDs, such as mis-configurations.


See the full post of the article with the link below.


Links: