EPSS

If you follow Cyentia Institute’s Jay Jacobs via social media you may FIRST ;-) have learned about the Exploit Prediction Scoring System (EPSS) from him, as I did. I quickly learned that FIRST offers an API for the EPSS Model, which immediately piqued my interest. Per FIRST, EPSS provides a fundamentally new capability for efficient, data-driven vulnerability management. While EPSS predicts the probability (threat) of a specific vulnerability being exploited, it can scale to estimate the threat for multiple vulnerabilities on a server, a subnet, mobile device, or at an enterprise level (Jacobs, 2022).
“The (EPSS) is a community-driven effort to combine descriptive information about vulnerabilities (CVEs) with evidence of actual exploitation in-the-wild. By collecting and analyzing these data, EPSS seeks to improve vulnerability prioritization by estimating the likelihood that a vulnerability will be exploited. The EPSS model produces a probability score between 0 and 1 (0% and 100%). The higher the score, the greater the probability that a vulnerability will be exploited (in the next 30 days)” (Jacobs, 2022).
As of February 2022, EPSS version 2 is available; give Jay’s write-up a good read before proceeding. EPSS v2 is preceded by EPSS v1 and CVSS v3. Note the significant increase in model coverage and efficiency per Figure 1.