EPSS (Exploit Prediction Scoring System) measures how likely a particular vulnerability is to be exploited in the wild. EPSS scores range from 0% (the lowest probability of exploitation) to 100% (the highest probability of exploitation). In addition, since it can be hard to extrapolate the true meaning from a probability score alone, EPSS also provides percentile rankings; percentile rankings measure EPSS probability relative to all other EPSS scores. The combination of probability and percentile enables advanced prioritization inputs.

EPSS exists to address a problem that security practitioners know all too well: We’re drowning in CVEs — including many high-severity CVEs — but the majority aren’t actually exploitable. This, of course, can make it difficult to prioritize vulnerability remediation efforts.  

By providing an objective measure of the likelihood of exploitability, EPSS can be a valuable input in vulnerability prioritization alongside other external data points like CVSS (Common Vulnerability Scoring System) and VEX (Vulnerability Exploitability eXchange).

In this blog, we’ll dive into the specifics of the EPSS model, discuss how it compares to CVSS and VEX, and explain how EPSS scores can be integrated into a comprehensive vulnerability management program.

But first, let’s start with a brief review of EPSS’ history and its data model.

EPSS History and Data Model

EPSS is managed by the Forum of Incident Response and Security Teams (FIRST) in partnership with a range of public and private sector contributors. The first version of the EPSS scoring system was released in April of 2021. Version 2.0 was published in February 2022, and the current V 3.0 was released in March of 2023.

Whenever a new CVE is published, an accompanying EPSS score will be released. The score is intended to communicate the “probability of exploitation activity in the next 30 days.”

According to the model’s website, EPSS is currently collecting data from multiple sources, such as:

  1. The CVE List from Mitre
  2. Number of days the CVE has been published
  3. Published exploit code in any of: Metasploit, ExploitDB, and/or GitHub
  4. Multiple security scanners
  5. CVSS v3 vectors in the base score as published in the National Vulnerability Database (NVD)
  6. CPE data as published in NVD

In all, EPSS is trained on over 1,000 variables. For a more comprehensive explanation of the EPSS model, we recommend you visit FIRST’s website

EPSS vs. CVSS

Like EPSS, CVSS (Common Vulnerability Scoring System) is governed by FIRST, and the two models share similar objectives in helping security practitioners understand and prioritize vulnerabilities. But while EPSS focuses on vulnerability exploitability, CVSS primarily aims to communicate vulnerability severity.

CVSS assigns severity scores on a 0 (lowest) to 10 (highest) basis. The ranges are as follows:

None: 0

Low: 0.1 - 3.9

Medium: 4.0 - 6.9

High: 7.0 - 8.9

Critical: 9.0 - 10.0

As an example, the Log4J vulnerability CVE-2021-44228 was assigned a severity rating of 10.0, the highest possible.

CVSS scores represent “the intrinsic qualities of a vulnerability that are constant over time and across user environments,” such as integrity impact, availability impact, attack vector, and more. 

There are other elements of the CVSS that take into account a) factors that do change over time, such as exploit code maturity, and b) factors specific to user environments. But these aren’t part of the CVSS score that gets published.

EPSS vs. VEX

EPSS isn’t the only resource for assessing vulnerability exploitability. VEX (Vulnerability Exploitability eXchange) also seeks to help measure exploitability, but it works very differently than EPSS.

VEX information is provided by the software supplier based on internal inputs. When using VEX, the supplier assigns a status to the vulnerability (Affected, Not Affected, Under Investigation, or Fixed) as well as a status justification. For example, the supplier may assign a status of “Fixed” if the vulnerability has been patched. Or, the supplier may assign a status of “Not Affected” with a justification of “Component_not_present” if, say, the vulnerable module isn’t included in the production deployment.

In contrast, EPSS scores are informed by external data input described in previous sections. 

As such, VEX and EPSS are complementary and can be used in tandem to help prioritize remediation efforts.

How to Use EPSS Scores

Security practitioners can use EPSS scores in several ways:

Because EPSS scores are informed estimates based on a data model, real-world evidence of exploitability should take precedence over EPSS when informing vulnerability remediation decisions.

FOSSA users with subscriptions to our Vulnerability Management product can easily leverage EPSS scores to help guide vulnerability prioritization. You can do this in multiple ways:

  1. To prioritize by EPSS score for vulnerabilities across all projects: Navigate to the Security Issues tab in your FOSSA dashboard. Ensure your issues are ungrouped. Click on the sort options in the top right-hand corner of your screen, and select “Highest EPSS.” You’ll then see a list of all vulnerabilities across your organization, starting with the highest EPSS score and ending with the lowest. To help contextualize the EPSS score, you’ll also see its percentile compared to other vulnerabilities. This view also includes other vulnerability context, like CVSS, CVE, and fix. 
  2. To prioritize by EPSS score for vulnerabilities across a single project: Click on the project that you’d like to analyze, then open the Security Issues tab. From there, you’d follow the same filtering process as described above. 
EPSS Score Examples

The screenshot above provides a quick example of the value of EPSS. Although CVE-2021-45105 has a CVSS score of 5.9 (and is thus categorized as a medium-severity vulnerability), it is actually in the 99th percentile of EPSS scores and thus should be prioritized over many higher-severity CVEs with lower EPSS scores. 

If you’d like to learn more about how FOSSA can support your organization’s vulnerability management program, please reach out to our team.