Skip to content
07.01.2021 by Jay Jacobs

Exploit Prediction Scoring System

Abstract

Despite the large investments in information security technologies and research over the past decades, the information security industry is still immature when it comes to vulnerability management. In particular, the prioritization of remediation efforts within vulnerability management programs predominantly relies on a mixture of subjective expert opinion and severity scores. Compounding the need for prioritization is the increase in the number of vulnerabilities the average enterprise has to remediate. This article describes the first open, data-driven framework for assessing vulnerability threat, that is, the probability that a vulnerability will be exploited in the wild within the first 12 months after public disclosure. This scoring system has been designed to be simple enough to be implemented by practitioners without specialized tools or software yet provides accurate estimates (ROC AUC =0.838)=0.838) of exploitation. Moreover, the implementation is flexible enough that it can be updated as more, and better, data becomes available. We call this system the Exploit Prediction Scoring System (EPSS). Read research paperLink to https://dl.acm.org/doi/fullHtml/10.1145/3436242

Other Research

imageLink to /research/supporting-epss-our-vision-for-a-more-data-driven-future
04.01.2025
Supporting Epss: Our Vision for a More Data-driven FutureSupporting Epss: Our Vision for a More Data-driven FutureRead MoreRead More
imageLink to /research/announcing-the-empirical-security-global-model
03.25.2025
Announcing the Empirical Security Global ModelAnnouncing the Empirical Security Global ModelRead MoreRead More