Exploit Prediction Scoring System

EPSS
Exploit Prediction Scoring System
Year started2021
Latest versionVersion 4
OrganizationFIRST
DomainInformation security
Websitewww.first.org/epss

The Exploit Prediction Scoring System (EPSS) is a technical standard managed by FIRST for estimating the probability a publicly disclosed software vulnerability will be exploited in the wild within the next 30 days.[1][2] EPSS is complementary to the Common Vulnerability Scoring System.[1] Combining EPSS and CVSS aligns remediation with actual threat activity.[3][4]

History

The original concept and prototype were presented by researchers Michael Roytman, Jay Jacobs, and Sasha Romanosky at Black Hat in 2019.[5] In April 2020 FIRST started a special interest group to develop the standard.[6]

Versions

  • 7 January 2021 – Public publication of daily EPSS scores began (model v1).[7]
  • 4 February 2022 – Version 2 incorporated additional telemetry sources and algorithmic improvements.
  • 7 March 2023 – Version 3 introduced gradient-boosted decision trees and expanded feature sets.
  • 17 March 2025 – Version 4 added contextual threat-intelligence feeds and performance gains.[1]

Adoption

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) encourages using EPSS alongside its Known Exploited Vulnerabilities Catalog for patch triage.[8] Major vulnerability-management platforms, such as Rapid7, Tenable, and Qualys, integrate EPSS scores for risk-based patching.[5] Academic research uses EPSS to model exploit trends and evaluate defenses.[9]

References

  1. ^ a b c "EPSS Version 4 Released". FIRST. 17 March 2025. Retrieved 14 April 2025.
  2. ^ Kovacs, Eduard (2025-05-20). "Vulnerability Exploitation Probability Metric Proposed by NIST, CISA Researchers". SecurityWeek. Retrieved 2026-03-15.
  3. ^ Jiang, Yuning; Oo, Nay; Meng, Qiaoran; Hoon Wei Lim; Sikdar, Biplab (12 February 2025). "A Survey on Vulnerability Prioritization: Taxonomy, Metrics, and Challenges". arXiv:2502.11070 [cs.CR].
  4. ^ Ravalico, Damiano; Farina, Mauro; Trevisan, Martino; Bartoli, Alberto (2025). "Analysing the Temporal Dynamics of the Exploit Prediction Scoring Systems (Epss)". doi.org. Retrieved 2026-03-15.
  5. ^ a b "What Is an EPSS Score?". Brinqa. 10 February 2024. Retrieved 14 April 2025.
  6. ^ "EPSS Special Interest Group Portal". FIRST. Retrieved 14 April 2025.
  7. ^ "Understanding and Using the EPSS Scoring System". FOSSA Blog. 20 January 2023. Retrieved 14 April 2025.
  8. ^ Parla, Rianna (4 November 2024). "Efficacy of EPSS in High Severity CVEs Found in CISA KEV". arXiv:2411.02618 [cs.CR].
  9. ^ Mell, Peter; Bojanova, Irena; Galhardo, Carlos (1 May 2024). "Measuring the Exploitation of Weaknesses in the Wild". arXiv:2405.01289 [cs.CR].
This article is issued from Wikipedia. The text is available under Creative Commons Attribution-Share Alike 4.0 unless otherwise noted. Additional terms may apply for the media files.