EPSS Vs CVSS: How Do They Compare?

Learn the differences of EPSS vs CVSS

The tech industry loves its acronyms and one that is grabbing attention these days is the Exploit Prediction Scoring System (EPSS). Since many people are more familiar with the Common Vulnerability Scoring System (CVSS), the question becomes, what is the difference between the two scores?

A definition of both is a good place to start.

The EPSS is a large, open, data-driven effort used to estimate the probability of a software vulnerability being exploited in the wild. It uses machine learning and algorithms and EPSS v2 (released in March 2023) may generate fewer false positives than CVSS.

The data sources it uses include the MITRE CVE List, NVD (National Vulnerability Database), and various threat intelligence feeds such as Metasploit and ExploitDB.

EPSS is a volunteer effort led by researchers, security practitioners, academics, and government professionals. There are two core metrics it focuses on: efficiency (how well organizations are using resources to resolve the percentage of remediated vulnerabilities) and coverage (the percentage of exploited vulnerabilities that were remediated).

It also has its own special interest group (SIG).

The Ins and Outs of CVSS

The CVSS generates a score between zero and 10 to represent the severity of an information security vulnerability based on the innate characteristics of vulnerabilities. The higher the score, the greater the likelihood that a vulnerability will be exploited within a month.

CVSS is well-suited as a standard measurement system for organizations and governments that need accurate and consistent vulnerability severity scores. CVSS is commonly used to calculate the severity of vulnerabilities discovered internally within an organization and as a factor in the prioritization of vulnerability remediation activities. In fact, CVSS scores are provided by the National Vulnerability Database (NVD) for almost all known vulnerabilities.

To generate a CVSS score, there are a number of factors used including:

  • Attack vector
  • Attack complexity
  • Required privileges
  • User interaction
  • Scope
  • Confidentiality
  • Integrity
  • Availability

Should You Use EPSS or CVSS?

Because an EPSS score can determine how to prioritize which software to patch based on a certain threshold, there is a school of thought that EPSS should be used in conjunction with CVSS.

Another is that while “EPSS is doing something smart,” and it “is great in that it is bringing attention to threat data,” its applicability “is much narrower” than people might expect.”

“EPSS got here attempting to avoid one of our key criticisms of CVSS: CVSS vector elements are not actually numbers, just rankings, and so the whole idea of using mathematics to combine the CVSS vector elements into a final score is unjustified.”

In contrast, EPSS takes in qualitative attributes and uses a machine learning model to produce a genuine probability. These outputs still need the correctly specified event and timeframe.

The caveat is that EPSS doesn’t estimate a vulnerability’s impact if it is exploited. Also, it is useful as long as an organization is mature enough that it can distinguish and has the capacity to address vulnerabilities that are “just below the obvious” threats of widely exploited vulnerabilities and the EPSS data provenance matches the organization.

So this means that it’s up to each organization to measure and validate the usefulness of EPSS in their environments. Even though many organizations’ environments should be a close enough match to the data used to train EPSS, do your due diligence.

Try to measure how many false positive prioritizations and how many misses there are of things you should care about. If applicable, EPSS should be one of the risk factors your organization uses when assessing the risk a vulnerability poses.

About the author: Esther Shein is a longtime freelance tech and business writer and editor whose work has appeared in several publications, including CIO.com, TechRepublic, VentureBeat, ZDNet, TechTarget, The Boston Globe and Inc. She has also written thought leadership whitepapers, ebooks, case studies and marketing materials.

Reduce your patching efforts by
85% or more in less than 10 minutes