Vulnerability Severity Scoring
Most Security folks are already familiar with CVSS as a framework used by NVD to try to assign a quantifiable severity score to vulnerabilities. They also know to never take CVSS scores at face value and to always view them with a grain of salt.
Why can't we trust CVSS alone? Simply put: Because CVSS doesn't include how likely a vulnerability is to be exploited in reality. It's just a formula that lives in a vacuum and lacks the context necessary to help organizations accurately assess the risk of a breach if left unpatched.
That's where an exciting new effort, called EPSS, comes in.
What is EPSS?
EPSS stands for "Exploit Prediction Scoring System" and it's an attempt to quantify how likely a given CVE is to actually be exploited by attackers in the wild.
The scoring system behind EPSS outputs a probability of the estimated likelihood of exploitation from 0 to 1 or 0% to 100%. Heartbleed has a CVSSv2 score of 5.0/10 and an EPSS score of 0.960760000 (it's 7.5/10 in CVSSv3).
How does EPSS work?
EPSS scores are published by the EPSS volunteers. The API is provided by FIRST. They've made scores available for all CVEs in the published state.
How is EPSS generated?
The EPSS is generated by machine learning (ML). If you ask us, the documentation could be a little more up front about that.
The model itself is proprietary, full stop.2 Too bad, because we would love to get our hands on it.
What data does EPSS use?
It uses a combination of public and proprietary data. Below is a list of some of the data sources.
(If you jump to the end there, you'll see that the private data is also probably the most crucial: real world information from Security Information and Event Management (SIEM) tools.)
- MITRE’s CVE List - Only CVEs in the “published” state are scored
- Text-based “Tags” derived from the CVE description and other sources talking about the vulnerability
- Count of how many days the CVE has been published
- Count of how many references are listed in the CVE
- Published Exploit code in any of: Metasploit, ExploitDB and/or Github
- Security Scanners: Jaeles, Intrigue, Nuclei, sn1per
- CVSS v3 vectors as published in the National Vulnerability Database (NVD)
- CPE (vendor) information as published in NVD
- Ground Truth: Daily observations of exploitation-in-the-wild activity from AlienVault and Fortinet.
This makes sense: If you have real world data about how much a vulnerability is really being exploited, as tracked by real humans through these SIEM tools, you've got a pretty good idea of how much a vulnerability actually matters. You can close the loop.
Naturally, as this data changes, the score is recalculated. This seems to happen roughly daily, at least for important vulnerabilities, as new factors come into play like the maturity of an exploit and as reports of real-world exploitation are observed.
How to view an EPSS Score
There's a free, public JSON API. It's pretty straightforward, but it's far from being the most friendly UX out there!
To test it out, let's ask it about everyone's favorite vulnerability, Log4Shell.
That score of ~0.97 is out of a maximum of 1.0, which makes a ton of sense considering that Log4Shell melted the internet when it was first discovered.
What EPSS doesn't do
EPSS does not consider any variables related to the environment. By this, I mean there is no "frontend score" or "backend score". It's just a single, one dimensional value spit out by the algorithm.
That's too bad for us, because one of the problems we are trying to solve with LunaTrace is tuning our vulnerability prioritization to consider the environment the code is running in. We are working hard to build our own source of signal for that.
The results are opaque
CVSS scores are calculated based on a limited set of inputs and the mathematical formula can be manually computed with a calculator in just a few minutes.
In contrast the opaque machine learning based approach of EPSS is very resistant to manual human calculation. The model is not Open Source and it is more difficult to introspect the results. The only output ever surfaced to consumers is the EPSS score itself, a value between 0 and 1.
Is EPSS relevant?
As far as we can tell, EPSS is a good idea and is a much needed step that helps companies effectively prioritize their security efforts.
But, while it's an exciting system that will eventually help solve the problem of too many CVEs being false positives, it's still early in it's maturity and very few security tools even include it today. There is also more validation required before security experts are willing to put their weight behind recommending that companies or standards rely on EPSS4.
How to try out EPSS
We've been adding EPSS support to our security tool, LunaTrace, available on GitHub56 that automatically scans your packages for known CVEs and gives you a dashboard to filter by risk scores like CVSS and EPSS. (In addition to helping you quickly patch them.)
If you'd like to see a scan of your project's dependencies, you can do so for free in a few clicks by signing up for LunaTrace and pointing it at your repo. If you'd like participate in testing out our EPSS support, we ask that you sign up and then message us on Discord to request access.
Thanks for reading and we hope that you found this information about EPSS helpful!