Kenna Security Logo

Tools

Exploit Prediction Scoring System Calculator

EPSS is the first open, data-driven framework for assessing vulnerability threat: that is, the probability that a vulnerability will be exploited in the wild within the first twelve months after public disclosure. This scoring system has been designed to be simple enough to be implemented without specialized tools or software. Below you will find a simple-to-use calculator. Note that over time, and as more data become available, the parameters used to define the probability may change, as could their influence on the outcome.

1Describe a vulnerability yourself, belowOR2
Vulnerability Attributes

Number of vendor references to the vulnerability

0.2%

Probability of exploit in next 12 months

VendorExtracted from NVD-encoded CPE information (primarily CPE v 2.2)
Reference CountThe count of references in the published CVE from Mitre.
Proof-of-concept exploit availableExploit code is available, either in ExploitDB or posted to github
Weaponized exploit availableExploit code is weaponized in a framework (metasploit, canvas, elliot)
Enables arbitrary code executionA variation of "code execution" is present in the description or references for CVE
Exploitable via local access onlyA variation of any actor with or from local network access exists in desc/ref for CVE
Exploitable via remote accessA variation of any actor with or from remote network access exists in desc/ref for CVE
Can cause denial of serviceA variation of "denial of service" exists in desc/ref for CVE
Can cause memory corruptionA variation of memory/stack corruption exists in desc/ref for CVE
Web originated vulnerabilityA variation of web-based technology (server/browser) in discussed in desc/ref in CVE

Model version 1.0

The Research

Exploit Prediction Scoring System (EPSS)

Jay Jacobs, Sasha Romanosky, Benjamin Edwards, Michael Roytman, Idris Adjerid

Exploit Prediction Scoring System cover

Despite the massive investments in information security technologies and research over the past decades, the information security industry is still immature. In particular, the prioritization of remediation efforts within vulnerability management programs predominantly relies on a mixture of subjective expert opinion, severity scores, and incomplete data. Compounding the need for prioritization is the increase in the number of vulnerabilities the average enterprise has to remediate. This paper produces the first open, data-driven framework for assessing vulnerability threat, that is, the probability that a vulnerability will be exploited in the wild within the first twelve months after public disclosure. This scoring system has been designed to be simple enough to be implemented by practitioners without specialized tools or software, yet provides accurate estimates of exploitation. Moreover, the implementation is flexible enough that it can be updated as more, and better, data becomes available. We call this system the Exploit Prediction Scoring System, EPSS.

Related Presentations

Black Hat 2019: Predictive Vulnerability Scoring System

Michael Roytman, Jay Jacobs

Black Hat USA 2019

This work was originally presented at the Black Hat 2019 conference.

Effective prioritization of vulnerabilities is essential to staying ahead of your attackers. While your threat intelligence might expose a wealth of information about attackers and attack paths, integrating it into decision-making is no easy task. Too often, we make the mistake of taking the data given to us for granted – and this has disastrous consequences.

We'll explain what we miss by trusting CVSS scores, and what should absolutely be taken into consideration to focus on the vulnerabilities posing the greatest risks to our organizations. We'll look at tens of thousands of vulnerabilities, CVSS scores, CVE, NVD, scraping mailing lists, collecting data feeds and ultimately end up with a few dozen data points that helped us understand the probability of a vulnerability being exploited.

Finally, we'll use all that data as well as billions of in-the-wild events collected over 5 years in order to create a machine learning model for predicting the probability of a vulnerability being exploited, a scoring system which outperforms CVSS on every metric: accuracy, efficiency and coverage.