The Common Vulnerability Scanning System (CVSS) is the most frequently cited rating system to assess the severity of security vulnerabilities. It has been criticized, however, as not being appropriate to assess and prioritize risk from those vulnerabilities. For this reason, some have called for using the Exploit Prediction Scoring System (EPSS) or combining CVSS and EPSS to make vulnerability metrics more actionable and efficient. Like CVSS, EPSS is governed by the Forum of Incident Response and Security Teams (FIRST).EPSS definitionEPSS prides itself on being an open and data-driven effort that aims to estimate the probability that a software vulnerability will be exploited in the wild. CVSS focuses on the innate characteristics of vulnerabilities culminating in a severity score. The severity score alone doesn\u2019t indicate a likelihood of exploitation, which is critical information for vulnerability management professionals who need to prioritize their vulnerability remediation and mitigation efforts to maximize their impact on reducing organizational risk.EPSS has a special interest group (SIG) that is open to the public for those interested in participating in the effort. EPSS is volunteer driven and led by researchers, security practitioners, academics, and government personnel. FIRST can and does own the rights to update the model and the associated guidance as the organization sees fit, despite this industry collaboration driven approach. The group boasts chairs and creators from organizations such as RAND, Cyentia, Virginia Tech, and Kenna Security among many members from a variety of organizations. EPSS has several related papers that dive into associated topics such as attack prediction, vulnerability modeling and disclosure, and software exploitation.\u00a0The EPSS model\u00a0EPSS aims to help security practitioners and their organizations improve vulnerability prioritization efforts. There are an exponentially growing number of vulnerabilities in today\u2019s digital landscape and that number is increasing due to factors such as the increased digitization of systems and society, increased scrutiny of digital products, and improved research and reporting capabilities.Organizations generally can only fix between 5% and 20% of vulnerabilities each month, EPSS claims. Fewer than 10% of published vulnerabilities are ever known to be exploited in the wild. Longstanding workforce issues are also at play, such as the annual ISC2 Cybersecurity Workforce Study, which shows shortages exceeding two million cybersecurity professionals globally. These factors warrant organizations having a coherent and effective approach to aid in prioritizing vulnerabilities that pose the highest risk to their organization to avoid wasting limited resources and time.The EPSS model aims to provide some support by producing probability scores that a vulnerability will be exploited in the next 30 days and the scores range between 0 and 1 or 0% and 100%. To provide these scores and projections, EPSS uses data from sources such as the MITRE CVE list, data about CVEs such as days since publication, and observations from exploitation-in-the-wild activity from security vendors such as AlienVault and Fortinet.\u00a0The EPSS team published data to support their approach of using CVSS scores with EPSS scoring data to lead to more effective vulnerability remediation efforts. For example, many organizations mandate that vulnerabilities with a specific CVSS score or higher must be remediated, such as a 7 or above. However, this prioritizes vulnerability remediation based on only the CVSS score, not if the vulnerability is known to be exploited or not. Coupling EPSS with CVSS is more effective because that prioritizes vulnerabilities based on both their severity rating and if they are known to be actively exploited. This lets organizations address CVEs that pose the greatest risk to the organization.\u00a0EPSS focuses on two core metrics \u00a0\u2013 efficiency and coverage. Efficiency examines how well organizations are using resources to resolve the percentage of remediated vulnerabilities. EPSS points out that it is more efficient for most of an organization's resources to be spent remediating mostly known-exploited vulnerabilities, as opposed to random vulnerabilities based on only severity scores via CVSS. Coverage is a look at the percentage of exploited vulnerabilities that were remediated.\u00a0To show the efficiency in their proposed approach, EPSS conducted a study in 2021 evaluating CVSS v3 base scores and EPSS v1 and EPSS v2 data over a 30-day period to determine the total number of CVEs, the number of remediated CVEs and the number of exploited CVEs.Initially, the study showed that most CVEs aren\u2019t remediated. Secondly, the number of exploited CVEs that are remediated is just a subset of the total remediated CVEs. This means that organizations don\u2019t remediate most CVEs, and among those they do, many aren\u2019t actively known to be exploited and potentially don\u2019t pose the greatest risk.The study also demonstrates that the EPSS v2 further improves the efficiency of vulnerability remediation efforts by maximizing the percentage of exploited vulnerabilities that are remediated. When organizations have resource challenges with cybersecurity practitioners, it is crucial to maximize their return on investment by having the resources focus on the vulnerabilities that pose the greatest risk to the organization. Ultimately, EPSS is trying to help organizations make more efficient use of their limited resources and improve their effectiveness of driving down organizational risk.\u00a0EPSS shortcomingsLike CVSS, EPSS has its critics from the industry and academia. One article titled Probably Don\u2019t Rely on EPSS Yet comes from Carnegie Mellon University\u2019s Software Engineering Institute\u2019s blog. SEI originally published a paper titled Towards Improving CVSS, which laid out some sharp criticisms of CVSS, from which EPSS originated shortly after the publication.\u00a0The primary criticisms leveled by the article include EPSS\u2019s opacity as well as issues with its data and outputs. The article discusses how it isn\u2019t clear how EPSS dictates the development processes, governance, or its intended audience. EPSS relies on pre-existing CVE IDs, meaning it wouldn\u2019t be helpful for entities such as software suppliers, incident response teams, or bug bounty groups because many of the vulnerabilities these groups deal with don\u2019t have CVE IDs yet and might never receive them. EPSS wouldn\u2019t be helpful when dealing with zero-day vulnerabilities, given they gain visibility as exploitation is underway and have no CVE ID.\u00a0The blog author also raises concerns about the openness and transparency of EPSS. While EPSS dubs itself an open and data-driven effort and has a public SIG, it and FIRST retain the right to change the site and model at any time without explanation. Even SIG members have no access to the code or data the underlying EPSS model uses. The SIG itself has no oversight or governance of the model, and the process by which the model is updated or modified isn\u2019t transparent to the public, let alone SIG members. The article points out that the EPSS model and data could also be pulled back from the public domain given it is governed and managed by FIRST.\u00a0The article notes that EPSS focuses on the probability that a vulnerability will be exploited in the next 30 days, but this requires a few fundamental things to exist for it to be projected. They include an existing CVE ID in the NVD with an associated CVSS v3 vector value, an IDS signature tied to an active attempted exploit of the CVE ID, contribution from AlienVault or Fortinet, and the model itself tied to the next 30 days.As the author pointed out, only 10% of vulnerabilities with CVE IDs have accompanying IDS signatures, meaning 90% of vulnerabilities with CVE IDs may go undetected for exploitation. This also creates a dependency on Fortinet and AlienVault with regards to IDS sensors and associated data. This could be mitigated to some extent by further involvement from the broader security vendor community. While data from Fortinet and AlienVault is useful, it doesn\u2019t represent the entire threat landscape or perspectives of the other major security vendors that could contribute to vulnerability exploitability probability.While these are valid critiques, using EPSS gives organizations an opportunity to make the most of their scarce security resources to drive down organizational risk. Focusing on vulnerabilities with the highest probability of exploitation lets organizations make investments that have the highest chance to mitigate malicious actors and minimize friction on development teams.