Yes, EPSS actually is a better prioritization tool than CVSS

In “A Visual Exploration of Exploitation in the Wild: The Inaugural Study of EPSS Data and Performance,” Cyentia Institute and FIRST found that only 5-6% of reported open source vulnerabilities are exploited. This highlights the importance of combining vulnerability prioritization methods to reduce overwhelm - like considering EPSS alongside CVSS, or even better, combining reachability analysis plus EPSS.?

For those not familiar with the Exploit Prediction Scoring System (EPSS), the official definition is:

a data-driven effort for estimating the likelihood (probability) that a software vulnerability will be exploited in the wild.

It provides a probability score between 0 and 1 (e.g. 0 and 100%) that a vulnerability will be exploited. Scores are generated daily for all CVE’s and reflect a 30 day window ahead in terms of exploitation probability.

Endor Labs has published several articles on EPSS, such as:

• How Should I Prioritize Software Vulnerabilities??
• Combining EPSS and Reachability Analysis to Optimize Vulnerability Management?

The number of CVEs is growing exponentially

Organizations can’t keep up with the number of vulnerability findings discovered by their security tools (such as SCA), for a myriad of reasons, such as explosive vulnerability growth, resource shortages, gaps in visibility, challenges with buy-in from engineering, development and business peers and more.

The problem is only going to get worse as software becomes more pervasive, GenAI accelerates code development cycles and vulnerability research and discovery accelerates.

This emphasizes the need to focus on what is actually relevant (e.g. known exploitation, exploitation probability, reachable/exploitable, business critical and so on).

Only 6% of those are exploitable - and the rate hasn’t changed much

Think for a moment about how many organizational resources across the entire cybersecurity ecosystem are absolutely wasted focusing on the 94% of vulnerabilities that weren’t known to be exploited, and may never end up getting exploited.??

Consider all of the back and forth, churn, toil, frustration and resentment we’ve fostered with Development, Engineering and Business peers making them chase down and spend time and energy on things that ultimately never presented any risk to the business.

Plus, attackers are becoming more likely to exploit older CVEs?

The researchers took a look at how old CVE’s are when they get targeted for exploitation. What they found was a fairly broad range showing that attackers not only may target new shiny vulnerabilities but years/decades old vulnerabilities as long as they are present and welcoming.

Attackers are equal opportunity exploiters.

Combine these facts and the case is clear: EPSS > CVSS

To put it bluntly, EPSS far outperforms alternatives like CVSS and prioritizing all “High” and “Critical” vulnerabilities, as seen in the picture below, due to the fact that a massive amount of time is wasted chasing down and remediating vulnerabilities that are never exploited and pose insignificant risk.

So where do we go from here??

While EPSS is far from perfect on its own, it represents an exponential improvement in terms of efficiency when it comes to prioritizing vulnerabilities for remediation and when doing it with finite time and resources, a challenge all organizations regardless of size, capability and budget suffer from.

Couple that with the reality we have discussed that most organizations have vulnerability backlogs in the hundreds of thousands to millions, and the need to optimize efficiency when it comes to vulnerability prioritization is key.

That said, as the EPSS study itself says, EPSS doesn’t have to be, and shouldn’t be used in isolation. When coupled with additional organizational context such as asset criticality, data sensitivity, internet accessibility, reachability analysis, compensating controls and more it represents a tremendously improved approach to vulnerability management.?

At Endor Labs, we have long championed the combination of CVSS, reachability analysis, and EPSS scores. The sum is really greater than its parts.?

Case Study: Jellyfish's EPSS-Driven Security Program

The case of Jellyfish exemplifies the transformative power of EPSS scores. By incorporating EPSS into their security strategy, Jellyfish was able to refine their vulnerability management process significantly. This data-driven approach allowed them to accurately prioritize threats, leading to better resource allocation and enhanced security measures. The results were clear: a marked improvement in their ability to mitigate potential exploits and a more robust security framework overall.

For a deeper dive into these insights, read Vulnerability Exploitation in the Wild by Chris H. , Chief Security Officer at Endor Labs.