Exploit Prediction Scoring System (EPSS)
Jay Jacobs, Sasha Romanosky, Benjamin Edwards, Michael, Roytman, Idris Adjerid

TL;DR
The paper introduces EPSS, a simple, data-driven scoring system that predicts the likelihood of a vulnerability being exploited within a year, aiding prioritization in vulnerability management.
Contribution
It presents the first open, flexible, and practical framework for estimating vulnerability exploitation probability based on empirical data.
Findings
EPSS provides accurate exploitation likelihood estimates.
The system is easy to implement without specialized tools.
EPSS can be updated with new data for improved accuracy.
Abstract
Despite the massive investments in information security technologies and research over the past decades, the information security industry is still immature. In particular, the prioritization of remediation efforts within vulnerability management programs predominantly relies on a mixture of subjective expert opinion, severity scores, and incomplete data. Compounding the need for prioritization is the increase in the number of vulnerabilities the average enterprise has to remediate. This paper produces the first open, data-driven framework for assessing vulnerability threat, that is, the probability that a vulnerability will be exploited in the wild within the first twelve months after public disclosure. This scoring system has been designed to be simple enough to be implemented by practitioners without specialized tools or software, yet provides accurate estimates of exploitation.…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
