Building on the critiques of CVSS, some have called for using Exploit Prediction Scoring System Exploit Prediction Scoring System (EPSS), or combining both CVSS and EPSS to make vulnerability metrics more actionable and efficient. Like CVSS, EPSS is governed by FIRST. EPSS prides itself on being an open and data-driven effort that aims to estimate the probability that a software vulnerability will be exploited in the wild. CVSS focuses on the innate characteristics of vulnerabilities culminating in a severity score. That said, just the severity score alone doesn’t indicate a likelihood of exploitation, which is critical information for vulnerability management professionals who need to prioritize their vulnerability remediation and mitigation efforts to maximize their impact on reducing organizational risk. EPSS has a Special Interest Group (SIG) that is open to the public for those interested in participating in the effort. EPSS is volunteer driven and led by researchers, security practitioners, academics and government personnel. That said, FIRST can and does own the rights to update the model and the associated guidance as the organization sees fit, despite this industry collaborative driven approach. Currently the group boasts chairs and creators from organizations such as RAND, Cyentia, Virginia Tech and Kenna Security among many members from a variety of organizations. EPSS has several related papers that dive into associated topics such as Attack Prediction, Vulnerability Modeling and Disclosure and Software Exploitation among other topics.
EPSS aims to help security practitioners and their organizations improve vulnerability prioritization efforts. There are an exponential number of vulnerabilities in today’s digital landscape, and that number is only increasing due to factors such as increased digitization of systems and society, increased scrutiny of digital products and improved research and reporting capabilities. EPSS points out that organizations generally can only fix between 5-20% of vulnerabilities on a monthly basis. There is also the reality that less than 10% of vulnerabilities that get published are ever known to be exploited in the wild. There are also longstanding workforce issues at play, such as the annual ISC2 Cybersecurity Workforce Study, which shows shortages exceeding two million cybersecurity professionals globally.
These factors warrant organizations having a coherent and effective approach to aid in prioritizing vulnerabilities that pose the highest risk to their organization to avoid wasting limited resources and time. The EPSS model aims to provide some support by producing probability scores that a vulnerability will be exploited in the next 30 days and the scores range between 0 and 1 or 0% and 100%. To provide these scores and projections, EPSS utilizes data from various sources such as the MITRE CVE list, data about CVE’s such as days since publication and observations from exploitation-in-the-wild activity from security vendors such as AlienVault and Fortinet.
The EPSS team published data to support their approach of using not just CVSS scores but coupling that with EPSS scoring data to lead to more effective vulnerability remediation efforts. For example, many organizations mandate that vulnerabilities with a specific CVSS score or higher must be remediated, such as a 7 or above. But this prioritizes vulnerability remediation based on only the CVSS score, not if the vulnerability is known to be exploited or not. Coupling EPSS with CVSS is more effective because then they prioritize vulnerabilities not merely off their severity rating but also if they are known to be actively exploited, letting organizations address CVE’s that pose the greatest risk to the organization.
EPSS focuses on two core metrics which are efficiency and coverage. Efficiency is a look at how organizations are efficiently using resources to resolve the percentage of remediated vulnerabilities. EPSS points out that it is more efficient for most of an organization’s resources to be spent remediating mostly known-exploited vulnerabilities, as opposed to random vulnerabilities based on only severity scores via CVSS. Coverage is a look at the percentage of exploited vulnerabilities that were remediated.
To show the efficiency in their proposed approach, EPSS conducted a study in 2021 utilizing CVSS v3 base scores, EPSS v1 and EPSS v2 data. They looked over a 30-day period to determine the total number of CVE’s, the number of remediated CVE’s and the number of exploited CVE’s. As you can see from the diagram below a couple of things jump out. Initially, the reality is that the majority of CVE’s simply aren’t remediated. Secondly, that the number of exploited CVE’s that are remediated is just a subset of the total remediated CVE’s. This means that organizations don’t remediate most CVE’s, and among those they do, many aren’t actively known to be exploited and potentially don’t pose the greatest risk. It also demonstrates that the EPSS v2 further improves the efficiency of vulnerability remediation efforts by maximizing the percentage of exploited vulnerabilities that are remediated. When organizations have resource challenges with cybersecurity practitioners, it is crucial to maximize their return on investment by having the resources focus on the vulnerabilities that pose the greatest risk to the organization. Ultimately, EPSS is trying to help organizations make more efficient use of their limited resources and improve their effectiveness of driving down organizational risk.
Much like CVSS, EPSS isn’t without critiques from the industry and academia either. One article titled “Probably Don’t Rely On EPSS Yet” comes from Carnegie Mellon University’s Software Engineering Institute’s Blog. SEI originally published a paper titled “Towards Improving CVSS” which laid out some sharp criticisms of CVSS, from which EPSS originated shortly after the publication.
Some of the primary criticisms leveled by the article include EPSS’s opacity as well as issues with its data and outputs. The article discusses how it isn’t clear how the development processes, governance or intended audience of EPSS is dictated. It is pointed out that EPSS relies of pre-existing CVE ID’s, meaning it wouldn’t be helpful for entities such as software suppliers, incident response teams or bug bounty groups due to the reality that many vulnerabilities these groups deal with don’t have CVE ID’s yet, and many never receive them. There is the issue that EPSS wouldn’t be helpful when dealing with zero-day vulnerabilities, given they gain visibility as exploitation is underway already, despite the lack of a known correlating CVE ID.
The author also raises concerns about the openness and transparency of EPSS. While EPSS dubs itself an open and data-driven effort, and even has a Special Interest Group (SIG), EPSS, and the governing organization, FIRST, still retain the right to change the site and model at any time, without explanation. There is also the reality that even SIG members have no access to the code or data that is used in the underlying EPSS model. The SIG itself has no oversight or governance of the model and the process by which the model is updated or modified isn’t transparent to the public, let alone SIG members. The article points out that the EPSS model and data could also be pulled back from public donation and use, given it is governed and managed by FIRST.
The article demonstrates that EPSS focuses on the probability that a vulnerability will be exploited in the next 30 days. But this requires a few fundamental things to exist for it to be projected. These include an existing CVE ID in the NVD with an associated CVSS v3 vector value, an IDS signature tied to an active attempted exploit of the CVE ID, contribution from AlienVault or Fortinet who provide data to EPSS and lastly the model itself tied to the next 30 days. As the author pointed out, only 10% of vulnerabilities with CVE ID’s have accompanying IDS signatures, meaning 90% of vulnerabilities with CVE IDs may go undetected for exploitation. This also creates a dependency on Fortinet and AlienVault with regards to IDS sensors and associated data and could be mitigated to some extent by further involvement from the broader security vendor community.