Exploit Prediction Scoring System

EPSS
Exploit Prediction Scoring System
Year started2021
Latest versionVersion 4
OrganizationFIRST
DomainInformation security
Websitewww.first.org/epss

The Exploit Prediction Scoring System (EPSS) is a technical standard managed by FIRST for estimating the probability a publicly disclosed software vulnerability will be exploited in the wild within the next 30 days.[1][2] EPSS is complementary to the Common Vulnerability Scoring System.[1] Combining EPSS and CVSS aligns remediation with actual threat activity.[3][4]

Characteristics

Vulnerabilities get assigned a probability value between 0 and 1 that determines the chance of them being exploited in the real world.[5]

History

The original concept and prototype were presented by researchers Michael Roytman, Jay Jacobs, and Sasha Romanosky at Black Hat in 2019.[6] In April 2020 FIRST started a special interest group to develop the standard.[7]

Versions

  • 7 January 2021 – Public publication of daily EPSS scores began (model v1).[8]
  • 4 February 2022 – Version 2 incorporated additional telemetry sources and algorithmic improvements.
  • 7 March 2023 – Version 3 introduced gradient-boosted decision trees and expanded feature sets.
  • 17 March 2025 – Version 4 added contextual threat-intelligence feeds and performance gains.[1]

Adoption

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) encourages using EPSS alongside its Known Exploited Vulnerabilities Catalog for patch triage.[9] Major vulnerability-management platforms, such as Rapid7, Tenable, and Qualys, integrate EPSS scores for risk-based patching.[6] Academic research uses EPSS to model exploit trends and evaluate defenses.[10]

References

  1. ^ a b c "EPSS Version 4 Released". FIRST. 17 March 2025. Retrieved 14 April 2025.
  2. ^ Kovacs, Eduard (2025-05-20). "Vulnerability Exploitation Probability Metric Proposed by NIST, CISA Researchers". SecurityWeek. Retrieved 2026-03-15.
  3. ^ Jiang, Yuning; Oo, Nay; Meng, Qiaoran; Hoon Wei Lim; Sikdar, Biplab (12 February 2025). "A Survey on Vulnerability Prioritization: Taxonomy, Metrics, and Challenges". arXiv:2502.11070 [cs.CR].
  4. ^ Ravalico, Damiano; Farina, Mauro; Trevisan, Martino; Bartoli, Alberto (2025). "Analysing the Temporal Dynamics of the Exploit Prediction Scoring Systems (Epss)". doi.org. Retrieved 2026-03-15.
  5. ^ "Exploit Prediction Scoring System (EPSS) Special Interest Group (SIG)". FIRST — Forum of Incident Response and Security Teams. Retrieved 2026-04-16.
  6. ^ a b "What Is an EPSS Score?". Brinqa. 10 February 2024. Retrieved 14 April 2025.
  7. ^ "EPSS Special Interest Group Portal". FIRST. Retrieved 14 April 2025.
  8. ^ "Understanding and Using the EPSS Scoring System". FOSSA Blog. 20 January 2023. Retrieved 14 April 2025.
  9. ^ Parla, Rianna (4 November 2024). "Efficacy of EPSS in High Severity CVEs Found in CISA KEV". arXiv:2411.02618 [cs.CR].
  10. ^ Mell, Peter; Bojanova, Irena; Galhardo, Carlos (1 May 2024). "Measuring the Exploitation of Weaknesses in the Wild". arXiv:2405.01289 [cs.CR].

Content Disclaimer

Informasi ini disarikan dari Wikipedia dan disajikan kembali untuk tujuan edukasi. Konten tersedia di bawah lisensi CC BY-SA 3.0. Kami tidak bertanggung jawab atas ketidakakuratan data yang bersumber dari kontribusi publik tersebut.

  1. The information displayed on this website is sourced in part or in whole from Wikipedia and has been adapted for the purpose of restating it. We strive to provide accurate and relevant information, however:
  2. There is no guarantee of absolute accuracy. Wikipedia is an open, collaborative project that can be edited by anyone, so information is subject to change.
  3. It is not intended to constitute professional advice. The content displayed is for informational and educational purposes only. For important decisions (e.g., medical, legal, or financial), please consult a professional.
  4. Content copyright. Wikipedia is licensed under the Creative Commons Attribution-ShareAlike License (CC BY-SA). This means that content may be reused with appropriate attribution and shared under a similar license.
  5. Responsible use. Any risk arising from the use of information from this website is entirely the responsibility of the user.