Skip to main content

One post tagged with "cvss"

View All Tags

ยท 6 min read
Forrest Allison
Alex Vanderpot
Free Wortley

Vulnerability Severity Scoring

Most Security folks are already familiar with CVSS as a framework used by NVD to try to assign a quantifiable severity score to vulnerabilities. They also know to never take CVSS scores at face value and to always view them with a grain of salt.

Why can't we trust CVSS alone? Simply put: Because CVSS doesn't include how likely a vulnerability is to be exploited in reality. It's just a formula that lives in a vacuum and lacks the context necessary to help organizations accurately assess the risk of a breach if left unpatched.

That's where an exciting new effort, called EPSS, comes in.

What is EPSS?