EPSS (Exploit Prediction Scoring System)

EPSS is a daily-updated probability — 0 to 1 — that a given CVE will be exploited in the next 30 days, computed by FIRST.org from a machine-learning model.

Definition

The Exploit Prediction Scoring System (EPSS) is a community-driven scoring framework, maintained by FIRST.org, that estimates the probability a given CVE will be exploited in the wild within the next 30 days. The score is a number between 0 and 1; an EPSS of 0.95 indicates very high predicted exploitation, while 0.001 indicates near-zero.

EPSS complements CVSS. CVSS scores the severity if exploited; EPSS scores the likelihood of exploitation. A CVSS-10 vulnerability with EPSS 0.001 is severe-if-exploited-but-probably-won't-be — useful context for resource-constrained patching. CVE Explore ingests EPSS daily at 02:15 UTC and surfaces both the probability and the percentile rank.

How it works

FIRST.org's model is trained on a large feature set including textual descriptions of the CVE, the affected products, presence of public PoCs, EPSS history, social-media mentions, and exploitation telemetry from partner vendors. The model retrains and re-scores all CVEs nightly. The full daily dump is published as a CSV at `https://epss.cyentia.com/`.

Mitigation

Not applicable.

Examples

  • CVE-2021-44228 (Log4Shell) — EPSS hovers near 0.97 (top 1 percentile).

See also

References