The Importance of EPSS in Vulnerability Prioritization: A Holistic Approach

Eran Medan
CTO & Co-Founder
March 30, 2023
Eran has spent the last 20+ years as an accomplished software engineer and technology executive, leading teams at Amazon Web Services and NICE Actimize.


Emerging technologies are often met with skepticism and a degree of caution, and the Exploit Prediction Scoring System (EPSS) is no exception. As a tool for evaluating Common Vulnerabilities and Exposures (CVE) exploitability, EPSS has attracted praise, criticism, and response to criticism. However, while EPSS is still climbing its hype cycle, it is worth our collective attention and evaluation.

In this post, we will explore the practical role of EPSS in prioritizing vulnerabilities, compare EPSS vs. CVSS – Common Vulnerability Scoring System), and explore how EPSS fits into a more comprehensive vulnerability management framework.


What is Exploit Prediction Scoring System (EPSS)?

The Exploit Prediction Scoring System (EPSS) was created by the Forum of Incident Response and Security Teams (FIRST) and first presented in Blackhat 2019. To quote the formal EPSS website:

The Exploit Prediction Scoring System (EPSS) is an open, data-driven effort for estimating the likelihood (probability) that a software vulnerability will be exploited in the wild.  
The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

What is Common Vulnerability Scoring System (CVSS)?

EPSS is often mentioned in the same breath as Common Vulnerability Scoring System (CVSS). Again, the formal CVSS web page (also maintained by FIRST) describes it the best:

The Common Vulnerability Scoring System (CVSS) provides a way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity. The numerical score can then be translated into a qualitative representation (such as low, medium, high, and critical) to help organizations properly assess and prioritize their vulnerability management processes.

Thus, both EPSS and CVSS are maintained and developed by FIRST, with the common goal of assisting organizations in prioritizing vulnerability remediation efforts to tackle potential vulnerabilities. The question then arises: which one should you use?

There are two universally correct answers that may both be cliché, but are also accurate in this situation:  

  1. “Why not both?” (Answering a question with a question never fails)
  2. Of course... “It depends” (The best answer whether you know the answer or not)

The difference between EPSS vs. CVSS

To understand the performance of EPSS vs. CVSS, the researchers from the Blackhat paper (Jay Jacobs, et al.) computed metrics such as true positive rate (TPR), false positive rate (FPR), efficiency (precision), and coverage (recall) for both systems using a sample dataset. These metrics help evaluate how well each system identifies and prioritizes vulnerabilities.

Examining the key performance indicators of CVSS vs. EPSS
Examining the key performance indicators of CVSS vs. EPSS

The results showed that EPSS theoretically outperforms CVSS in terms of reduction in effort as can be seen in this diagram (Jay Jacobs, et al., Table 5, page 14). This is especially significant for vulnerabilities with a base CVSS above 9.0.

The Vulnerability Prioritization Funnel

Nevertheless, it is important to acknowledge that EPSS, by itself, should not be regarded as a comprehensive solution to address all vulnerability prioritization challenges, nor does it claim to be one.

Prioritizing vulnerabilities can be visualized as a funnel, where each step helps focus on what needs to be addressed. The process involves the following steps:

Visualizing risk prioritization as a funnel
Visualizing risk prioritization as a funnel
  1. Business Context: Assessing the potential business impact of an unpatched vulnerability is essential. For instance, a vulnerability in a nuclear reactor control system would have a far greater priority than one in a simple React tutorial repository.
  2. Theoretical Exploitability: This step involves figuring out how easy it would be to exploit the vulnerability in theory, considering factors such as the CVSS exploitability metrics (e.g., Attack Complexity, Privileges Required, and User Interaction).
  3. Empirical Exploitability: Finding evidence of an exploit in the wild is crucial. This can be achieved through sources such as Known Exploited Vulnerabilities (KEV), EPSS, and other threat intelligence platforms.)
  4. Practical Exploitability: Assessing whether your code is using the library in a way that makes the exploit relevant is important. Considerations such as transient vs direct dependency and whether it is a development/test-only dependency should be considered.
  5. Fixable: Finally, figuring out if a fix is available for the vulnerability is a critical step in prioritization.

EPSS and Its Role in Prioritizing Vulnerabilities

EPSS, KEV, and similar sources provide valuable insights into the exploitability of vulnerabilities. However, they should not be relied upon as the sole source of information. It provides insight into half of the equation for risk (likelihood), while the other half (impact) requires a business impact analysis.  

By using EPSS, KEV, and CVSS as part of a more comprehensive vulnerability management approach, organizations can benefit from its insights while considering other aspects such as business context, exploitability, and fixability. This integrated approach allows for better prioritization of resources and efforts to address vulnerabilities.

Conclusion: EPSS is part of a comprehensive vulnerability prioritization strategy

EPSS, though still an emerging technology, is a valuable tool in the toolbox of organizations looking to prioritize vulnerabilities. It should be used in conjunction with other vulnerability management techniques, considering factors such as business impact, exploitability, and the availability of fixes. By adopting a comprehensive approach to vulnerability prioritization, organizations can make better-informed decisions and distribute resources more effectively to protect their systems and data from potential threats.


More from our blog

Why Secret Scanning Visibility Should Be Free & Understanding Where There is Value
Why Secret Scanning Visibility Should Be Free & Understanding Where There is Value
July 11, 2023
How to Detect & Prevent Source Code Exfiltration
How to Detect & Prevent Source Code Exfiltration
July 5, 2023
The Criticality of Context for Addressing Software Supply Chain Risk
The Criticality of Context for Addressing Software Supply Chain Risk
June 19, 2023