Draft:Exploit Prediction Scoring System

Submission declined on 20 May 2025 by SportingFlyer (talk).

This submission is not adequately supported by reliable sources. Reliable sources are required so that information can be verified. If you need help with referencing, please see Referencing for beginners and Citing sources.

This submission appears to be taken from https://www.first.org/epss/. Wikipedia cannot accept material copied from elsewhere, unless it explicitly and verifiably has been released to the world under a suitably free and compatible copyright license or into the public domain and is written in an acceptable tone—this includes material that you own the copyright to. You should attribute the content of a draft to outside sources, using citations, but copying and pasting or closely paraphrasing sources is not acceptable. The entire draft should be written using your own words and structure.

Note to reviewers: do not leave copyright violations sitting in the page history. Please follow the cleanup instructions.

Administrators: if the page has been cleaned and you are seeing this notice, please change the cv to cv-cleaned in the {{AfC submission}} call.

If you would like to continue working on the submission, click on the "Edit" tab at the top of the window.
If you have not resolved the issues listed above, your draft will be declined again and potentially deleted.
If you need extra help, please ask us a question at the AfC Help Desk or get live help from experienced editors.
Please do not remove reviewer comments or this notice until the submission is accepted.

Where to get help

If you need help editing or submitting your draft, please ask us a question at the AfC Help Desk or get live help from experienced editors. These venues are only for help with editing and the submission process, not to get reviews.
If you need feedback on your draft, or if the review is taking a lot of time, you can try asking for help on the talk page of a relevant WikiProject. Some WikiProjects are more active than others so a speedy reply is not guaranteed.

How to improve a draft

Wikipedia:Contributing to Wikipedia – a basic overview on how to edit Wikipedia.
Help:Wikitext – how to use the markup
Help:Referencing for beginners – how to include references
Wikipedia:Article development – how to develop your article
Wikipedia:Writing better articles – how to improve your article
Wikipedia:Verifiability – make sure your article includes reliable third-party sources

You can also browse Wikipedia:Featured articles and Wikipedia:Good articles to find examples of Wikipedia's best writing on topics similar to your proposed article.

Improving your odds of a speedy review

To improve your odds of a faster review, tag your draft with relevant WikiProject tags using the button below. This will let reviewers know a new draft has been submitted in their area of interest. For instance, if you wrote about a female astronomer, you would want to add the Biography, Astronomy, and Women scientists tags.

Add tags to your draft

Editor resources

Easy tools: Citation bot (help) | Advanced: Fix bare URLs

Declined by SportingFlyer 15 minutes ago. Last edited by SportingFlyer 15 minutes ago. Reviewer: Inform author.

Resubmit

Please note that if the issues are not fixed, the draft will be declined again.

Submission declined on 14 April 2025 by Asilvering (talk).

This draft's references do not show that the subject qualifies for a Wikipedia article. In summary, the draft needs multiple published sources that are:

in-depth (not just passing mentions about the subject)
reliable
secondary
independent of the subject

Make sure you add references that meet these criteria before resubmitting. Learn about mistakes to avoid when addressing this issue. If no additional references exist, the subject is not suitable for Wikipedia.

Declined by Asilvering 35 days ago.

Submission declined on 12 April 2025 by AstrooKai (talk).

This draft includes a list of general references, but it lacks sufficient corresponding inline citations. Please improve this article by introducing more precise citations.

Declined by AstrooKai 37 days ago.

Submission declined on 12 April 2025 by AstrooKai (talk).

This draft includes a list of general references, but it lacks sufficient corresponding inline citations. Please improve this article by introducing more precise citations.

Declined by AstrooKai 37 days ago.

Comment: This isn't sourced well enough for me to accept, and it potentially contains content too closely paraphrased to its own website, which features an all rights reserved copyright notice. SportingFlyer T·C 02:25, 20 May 2025 (UTC)

Exploit Prediction Scoring System (EPSS) is an open, data-driven risk metric that estimates the probability a publicly disclosed software vulnerability will be exploited in the wild within the next 30 days.^[1] Managed by the Forum of Incident Response and Security Teams (FIRST), EPSS complements the severity-focused Common Vulnerability Scoring System (CVSS) by prioritizing vulnerabilities according to real-world exploitation likelihood.^[1]

Overview

EPSS produces a numerical probability between 0 and 1 (expressed as 0–100%) for every Common Vulnerabilities and Exposures (CVE) identifier listed in the National Vulnerability Database (NVD).^[2] A higher score indicates a greater chance that the vulnerability will be targeted by threat actors during the next month.^[2] Scores are recalculated and published daily as a downloadable data set and through an API.^[2]

Mission

The Exploit Prediction Scoring System (EPSS) aims to help network defenders prioritize remediation by estimating the likelihood that a software vulnerability will be exploited.^[3] It uses current threat information from CVE and real-world exploit data to produce a probability score between 0 and 1 (0–100%).^[3] The higher the score, the greater the probability of exploitation.^[3] Machine learning enhances its predictive accuracy.^[4]

Updates to EPSS

Version 4 (current) – released 17 March 2025.^[1]
Version 3 – released 7 March 2023.^[5]
Major update – 4 February 2022.^[6]
First public scores – 7 January 2021.^[7]
EPSS SIG formed at FIRST – April 2020.^[8]
Original EPSS model presented at Black Hat – 2019.^[8]

Goals and deliverables

EPSS publishes scores for all CVEs in a public state.^[2] The EPSS-SIG aims to improve data collection and analysis for near-real-time assessments of publicly disclosed vulnerabilities.^[9] This involves partnerships with data providers and infrastructure for a publicly accessible interface.^[3] Multiple datasets, including intrusion-detection systems, honeypots, and malware analysis, are ingested to identify exploitation instances.^[3]

History

Black Hat 2019 – The original concept and prototype were presented by researchers Michael Roytman, Jay Jacobs, and Sasha Romanosky.^[8]
April 2020 – FIRST chartered the EPSS Special Interest Group (SIG) to develop the model collaboratively.^[9]
7 January 2021 – Public publication of daily EPSS scores began (model v1).^[7]
4 February 2022 – Version 2 incorporated additional telemetry sources and algorithmic improvements.^[6]
7 March 2023 – Version 3 introduced gradient-boosted decision trees and expanded feature sets.^[5]
17 March 2025 – Version 4 added contextual threat-intelligence feeds and performance gains.^[1]

Methodology

EPSS employs supervised machine-learning, currently using gradient-boosted trees, trained on historical exploitation events.^[3] Predictive features include:

CVSS base metrics (attack vector, privileges required, etc.).^[3]
Availability of exploit code in public repositories or exploit kits.^[3]
Mentions in security advisories and social-media telemetry.^[3]
Presence of the CVE in malware campaigns or botnet traffic.^[3]

The model is retrained periodically to incorporate new data sources and adversary behavior.^[3] Performance is measured using area under the precision-recall curve (AUPRC) against confirmed exploitation incidents.^[3]

Output interpretation

EPSS scores are decile-ranked: the top 1% of scores historically accounts for roughly 80% of observed exploitation activity.^[2] FIRST recommends prioritizing remediation for CVEs above the 0.5 probability threshold, though organizations may choose bespoke cut-offs based on risk appetite.^[2]

Adoption and usage

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) encourages using EPSS alongside its Known Exploited Vulnerabilities Catalog for patch triage.^[10] Major vulnerability-management platforms, such as Rapid7, Tenable, and Qualys, integrate EPSS scores for risk-based patching.^[8] Academic research uses EPSS to model exploit trends and evaluate defenses.^[11]

Comparison with other scoring systems

While CVSS quantifies technical severity, EPSS predicts exploitation likelihood.^[3] Combining both aligns remediation with actual threat activity.^[12]

External links

Official website

References

^ ^a ^b ^c ^d "EPSS Version 4 Released". FIRST. 17 March 2025. Retrieved 14 April 2025.
^ ^a ^b ^c ^d ^e ^f "EPSS Data Statistics". FIRST. Retrieved 14 April 2025.
^ ^a ^b ^c ^d ^e ^f ^g ^h ⁱ ^j ^k ^l ^m "How the EPSS Scoring System Works". Orca Security Blog. 15 February 2023. Retrieved 14 April 2025.
^ "Machine Learning Improves Prediction of Exploited Vulnerabilities". Dark Reading. 7 March 2023. Retrieved 14 April 2025.
^ ^a ^b "Understanding and Using the EPSS Scoring System". FOSSA Blog. 20 January 2023. Retrieved 14 April 2025.
^ ^a ^b "Understanding and Using the EPSS Scoring System". FOSSA Blog. 20 January 2023. Retrieved 14 April 2025.
^ ^a ^b "Understanding and Using the EPSS Scoring System". FOSSA Blog. 20 January 2023. Retrieved 14 April 2025.
^ ^a ^b ^c ^d "What Is an EPSS Score?". Brinqa. 10 February 2024. Retrieved 14 April 2025.
^ ^a ^b "EPSS Special Interest Group Portal". FIRST. Retrieved 14 April 2025.
^ Parla, Rianna (4 November 2024). "Efficacy of EPSS in High Severity CVEs Found in CISA KEV". arXiv:2411.02618 [cs.CR].
^ Mell, Peter; Bojanova, Irena; Galhardo, Carlos (1 May 2024). "Measuring the Exploitation of Weaknesses in the Wild". arXiv:2405.01289 [cs.CR].
^ Jiang, Yuning; Oo, Nay; Meng, Qiaoran; Hoon Wei Lim; Sikdar, Biplab (12 February 2025). "A Survey on Vulnerability Prioritization: Taxonomy, Metrics, and Challenges". arXiv:2502.11070 [cs.CR].

^[1]

^[2]

^[3]

^[4]

^[5]

^ "Machine Learning Improves Prediction of Exploited Vulnerabilities". Dark Reading. 7 March 2023. Retrieved 14 April 2025.
^ "EPSS Integration Expands Across Vulnerability-Management Vendors". Dark Reading. 2 April 2025. Retrieved 14 April 2025.
^ A Visual Exploration of Exploits in the Wild (Report). Cyentia Institute. 2024. Retrieved 14 April 2025.
^ "Healthcare and Public Health Sector Vulnerability Mitigation Guide" (PDF). Cybersecurity and Infrastructure Security Agency. 2023. Retrieved 14 April 2025.
^ 2024 Data Breach Investigations Report (PDF) (Report). Verizon. 2024. Retrieved 14 April 2025.

[FIRST2025-1] "EPSS Version 4 Released". FIRST. 17 March 2025. Retrieved 14 April 2025.

[DataStats-2] ^ ^a ^b ^c ^d ^e ^f "EPSS Data Statistics". FIRST. Retrieved 14 April 2025.

[Orca2023-3] ^ ^a ^b ^c ^d ^e ^f ^g ^h ⁱ ^j ^k ^l ^m "How the EPSS Scoring System Works". Orca Security Blog. 15 February 2023. Retrieved 14 April 2025.

[DR2023-4] "Machine Learning Improves Prediction of Exploited Vulnerabilities". Dark Reading. 7 March 2023. Retrieved 14 April 2025.

[FOSSA2023v3-5] "Understanding and Using the EPSS Scoring System". FOSSA Blog. 20 January 2023. Retrieved 14 April 2025.

[FOSSA2023v2-6] "Understanding and Using the EPSS Scoring System". FOSSA Blog. 20 January 2023. Retrieved 14 April 2025.

[FOSSA2023v1-7] "Understanding and Using the EPSS Scoring System". FOSSA Blog. 20 January 2023. Retrieved 14 April 2025.

[Brinqa-8] "What Is an EPSS Score?". Brinqa. 10 February 2024. Retrieved 14 April 2025.

[EPSSSIG-9] "EPSS Special Interest Group Portal". FIRST. Retrieved 14 April 2025.

[Parla-10] Parla, Rianna (4 November 2024). "Efficacy of EPSS in High Severity CVEs Found in CISA KEV". arXiv:2411.02618 [cs.CR].

[Mell-11] Mell, Peter; Bojanova, Irena; Galhardo, Carlos (1 May 2024). "Measuring the Exploitation of Weaknesses in the Wild". arXiv:2405.01289 [cs.CR].

[Jiang-12] Jiang, Yuning; Oo, Nay; Meng, Qiaoran; Hoon Wei Lim; Sikdar, Biplab (12 February 2025). "A Survey on Vulnerability Prioritization: Taxonomy, Metrics, and Challenges". arXiv:2502.11070 [cs.CR].

[DR2023-13] "Machine Learning Improves Prediction of Exploited Vulnerabilities". Dark Reading. 7 March 2023. Retrieved 14 April 2025.

[DR2025-14] "EPSS Integration Expands Across Vulnerability-Management Vendors". Dark Reading. 2 April 2025. Retrieved 14 April 2025.

[Cyentia2024-15] A Visual Exploration of Exploits in the Wild (Report). Cyentia Institute. 2024. Retrieved 14 April 2025.

[CISAHPH-16] "Healthcare and Public Health Sector Vulnerability Mitigation Guide" (PDF). Cybersecurity and Infrastructure Security Agency. 2023. Retrieved 14 April 2025.

[VerizonDBIR-17] 2024 Data Breach Investigations Report (PDF) (Report). Verizon. 2024. Retrieved 14 April 2025.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[1]

[2]

[3]

[4]

[5]