Draft:Exploit Prediction Scoring System

Draft article not currently submitted for review. This is a draft Articles for creation (AfC) submission. It is not currently pending review. While there are no deadlines, abandoned drafts may be deleted after six months. To edit the draft click on the "Edit" tab at the top of the window. To be accepted, a draft should: Show the subject qualifies for a Wikipedia article by using multiple sources that meet four criteria. The sources should be (1) reliable (2) secondary (3) independent of the subject (4) talk about the subject in some depth. For some topics, there are alternative criteria. Be written from a neutral point of view Respect copyright and do not plagiarize. Do not copy-paste. It is strongly discouraged to write about yourself, your business or employer. If you do so, you must declare it. Where to get help If you need help editing or submitting your draft, please ask us a question at the AfC Help Desk or get live help from experienced editors. These venues are only for help with editing and the submission process, not to get reviews. If you need feedback on your draft, or if the review is taking a lot of time, you can try asking for help on the talk page of a relevant WikiProject. Some WikiProjects are more active than others so a speedy reply is not guaranteed. How to improve a draft Wikipedia:Contributing to Wikipedia – a basic overview on how to edit Wikipedia. Help:Wikitext – how to use the markup Help:Referencing for beginners – how to include references Wikipedia:Article development – how to develop your article Wikipedia:Writing better articles – how to improve your article Wikipedia:Verifiability – make sure your article includes reliable third-party sources You can also browse Wikipedia:Featured articles and Wikipedia:Good articles to find examples of Wikipedia's best writing on topics similar to your proposed article. Improving your odds of a speedy review To improve your odds of a faster review, tag your draft with relevant WikiProject tags using the button below. This will let reviewers know a new draft has been submitted in their area of interest. For instance, if you wrote about a female astronomer, you would want to add the Biography, Astronomy, and Women scientists tags. Add tags to your draft Editor resources Easy tools: Citation bot (help) | Advanced: Fix bare URLs Last edited by Saeedabbasi2025 (talk | contribs) 53 days ago. (Update) Submit the draft for review!

Exploit Prediction Scoring System (EPSS) is an open, data‑driven risk metric that estimates the probability a publicly disclosed software vulnerability will be exploited in the wild within the next 30 days. Managed by the Forum of Incident Response and Security Teams (FIRST), EPSS complements the severity‑focused Common Vulnerability Scoring System (CVSS) by prioritising vulnerabilities according to real‑world exploitation likelihood.

EPSS produces a numerical probability between 0 and 1 (expressed as 0–100 %) for every Common Vulnerabilities and Exposures (CVE) identifier listed in the National Vulnerability Database (NVD). A higher score indicates a greater chance that the vulnerability will be targeted by threat actors during the next month. Scores are recalculated and published daily as a downloadable data set and through an API.

The Exploit Prediction Scoring System (EPSS) is a data‑driven effort for estimating the likelihood that a software vulnerability will be exploited in the wild. Its goal is to help network defenders prioritize remediation. While other industry standards capture the innate characteristics of a vulnerability and provide measures of severity, they are limited in assessing threat. EPSS fills that gap by using current threat information from CVE and real‑world exploit data. The EPSS model produces a probability score between 0 and 1 (0–100 %). The higher the score, the greater the probability that a vulnerability will be exploited.

• Version 4 (current) – released 17 March 2025
• Version 3 – released 7 March 2023
• Major update – 4 February 2022
• First public scores – 7 January 2021
• EPSS SIG formed at FIRST – April 2020
• Original EPSS model presented at Black Hat – 2019

EPSS publishes scores for all CVEs in a public state. The EPSS‑SIG aims to improve the maturity of data collection and analysis to provide near‑real‑time assessments of all publicly disclosed vulnerabilities. This requires partnerships with data providers and infrastructure for a publicly accessible interface to EPSS scores. Multiple open and commercial datasets are already ingested, with the most critical data identifying instances of actual exploitation (e.g., intrusion‑detection systems, honeypots, network observatories, malware analysis, and other sensor networks).

Black Hat 2019 – the original concept and prototype were presented by researchers Michael Roytman, Jay Jacobs and Sasha Romanosky.

April 2020 – FIRST chartered the EPSS Special Interest Group (SIG) to develop the model collaboratively with industry and academia.

7 January 2021 – public publication of daily EPSS scores began (model v1).

4 February 2022 – version 2 incorporated additional telemetry sources and algorithmic improvements.

7 March 2023 – version 3 introduced gradient‑boosted decision trees and expanded feature sets.

17 March 2025 – version 4 became the current model, adding contextual threat‑intelligence feeds and performance gains.

EPSS employs supervised machine‑learning (currently gradient‑boosted trees) trained on historical exploitation events. Predictive features include:

CVSS base metrics (attack vector, privileges required, etc.)

Availability of exploit code in public repositories or exploit kits

Mentions in security advisories and social‑media telemetry

Presence of the CVE in malware campaigns or botnet traffic

The model is retrained periodically to incorporate new data sources and adversary behaviour. Performance is measured using area under the precision‑recall curve (AUPRC) against a ground‑truth set of confirmed exploitation incidents.

EPSS scores are deciles‑ranked: the top 1 % of scores historically accounts for roughly 80 % of observed exploitation activity. FIRST recommends prioritising remediation for CVEs above the 0.5 probability threshold, though organisations often choose bespoke cut‑offs based on risk appetite.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) encourages network defenders to use EPSS alongside its Known Exploited Vulnerabilities Catalog when triaging patches.

Major vulnerability‑management platforms (e.g. Rapid7, Tenable, Qualys) integrate EPSS scores to drive risk‑based patching workflows.

Academic research has leveraged EPSS to model exploit trends and to evaluate proactive defences.

While CVSS quantifies the technical severity of a vulnerability, EPSS predicts exploitation likelihood. Studies show that combining EPSS with CVSS better aligns remediation efforts with actual threat activity than either metric alone.

Common Vulnerability Scoring System (CVSS)

Stakeholder‑Specific Vulnerability Categorization (SSVC)

National Vulnerability Database (NVD)

Official website

"EPSS Version 4 Released". FIRST. 17 March 2025. Retrieved 11 April 2025. {{cite web}}: Check date values in: |access-date= and |date= (help); no-break space character in |access-date= at position 3 (help); no-break space character in |date= at position 3 (help); no-break space character in |title= at position 13 (help) "EPSS Data Statistics". FIRST. Retrieved 11 April 2025. {{cite web}}: Check date values in: |access-date= (help); no-break space character in |access-date= at position 3 (help)

"How the EPSS Scoring System Works". Orca Security Blog. 15 February 2023. Retrieved 11 April 2025. {{cite web}}: Check date values in: |access-date= and |date= (help); no-break space character in |access-date= at position 3 (help); no-break space character in |date= at position 3 (help)

"Understanding and Using the EPSS Scoring System". FOSSA Blog. 20 January 2023. Retrieved 11 April 2025. {{cite web}}: Check date values in: |access-date= and |date= (help); no-break space character in |access-date= at position 3 (help); no-break space character in |date= at position 3 (help)

"What Is an EPSS Score?". Brinqa. 10 February 2024. Retrieved 11 April 2025. {{cite web}}: Check date values in: |access-date= and |date= (help); no-break space character in |access-date= at position 3 (help); no-break space character in |date= at position 3 (help)

Parla, Rianna (4 November 2024). "Efficacy of EPSS in High Severity CVEs Found in CISA KEV". arXiv. Retrieved 11 April 2025. {{cite journal}}: Check date values in: |access-date= and |date= (help); no-break space character in |access-date= at position 3 (help); no-break space character in |date= at position 2 (help)

"Measuring the Exploitation of Weaknesses in the Wild". arXiv. 1 May 2024. Retrieved 11 April 2025. {{cite journal}}: Check date values in: |access-date= and |date= (help); no-break space character in |access-date= at position 3 (help); no-break space character in |date= at position 2 (help)

"A Survey on Vulnerability Prioritization: Taxonomy, Metrics, and Challenges". arXiv. 12 February 2025. Retrieved 11 April 2025. {{cite journal}}: Check date values in: |access-date= and |date= (help); no-break space character in |access-date= at position 3 (help); no-break space character in |date= at position 3 (help)