In late 2022, we compared the Exploit Prediction Scoring System (EPSS) and the widely used Common Vulnerability Scoring System (CVSS). Now EPSS 3.0 brings a more comprehensive, efficient, and effective model to the industry looking to prioritize vulnerabilities that pose the greatest threat and offers a robust API and resource open for anyone to access and consume as part of their vulnerability management program.
While CVSS is the most widely used to assess the severity of vulnerabilities, it is inappropriately used in isolation to prioritize risk from the vulnerabilities. Many organizations, including the US Federal Government and the Department of Defense (DoD), utilize CVSS severity scores to help drive their vulnerability remediation timeline requirements.
The introduction of the EPSS, which attempts to aid vulnerability prioritization efforts by providing a numerical score of how likely a vulnerability is to be exploited over the next 30-day window, has been a boon to security practitioners and organizations looking to improve their vulnerability management activities.
Organizations are falling behind in vulnerability management
Studies have shown that organizations can only remediate between 5% and 20% of their vulnerabilities each month, leaving them in a situation where they are perpetually falling behind the number of published and emerging vulnerabilities due to their inability to remediate them all.
Organizations ultimately aim to take approaches to prioritize vulnerabilities for remediation, but they have historically been very inefficient and ineffective, all at a time when we constantly hear about the shortfall of cybersecurity talent and organizations struggling to attract and retain it. It has been found that using only a CVSS severity score to measure the risk of an individual vulnerability is equivalent to picking random vulnerabilities to fix, whereas focusing on vulnerabilities with actual exploitation proof or probability is far more effective at mitigating organizational risks.
A common vulnerability prioritization strategy called for in sources such as PCI and Federal vulnerability management guidance is to remediate vulnerabilities within a predefined set of calendar days after initial detection, based on CVSS severity scores. This often manifests in having critical and high vulnerabilities (as categorized by CVSS) prioritized for remediation within seven to 30 days of initial detection. On the surface, this seems intuitive, except for the issue that fewer than 10% of known vulnerabilities are actually ever exploited in the wild.
