Mission
The Exploit Prediction Scoring System (EPSS) is a data-driven effort for estimating the likelihood (probability) that a software vulnerability will be exploited in the wild. Our goal is to assist network defenders to better prioritize vulnerability remediation efforts. While other industry standards have been useful for capturing innate characteristics of a vulnerability and provide measures of severity, they are limited in their ability to assess threat. EPSS fills that gap because it uses current threat information from CVE and real-world exploit data. The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.
If you would like to join the EPSS special interest group, please visit the EPSS-SIG portal and fill out the "Request to Join" form. Anyone is welcome to join our mailing list and Slack. We meet every other Friday at 11 am eastern time, GMT -5.
Alternatively, if you would like to receive email updates about EPSS news and announcements, please subscribe to our low-volume EPSS-news list:
- Subscribe by writing an e-mail to epss-news-subscribe [at] first.org
- Unsubscribe by writing an e-mail to epss-news-unsubscribe [at] first.org
Updates to EPSS
- The latest update to the EPSS model was released on March 7th, 2023.
- The previous major update was released on February 4th, 2022.
- The first release of public scores began on January 7th, 2021.
- This EPSS SIG was formed at FIRST in April of 2020
- The original EPSS model was presented at Blackhat 2019
Goals & Deliverables
We currently produce EPSS scores for all CVEs in a published state. In addition, the EPSS SIG is working to improve the maturity of data collection and analysis in order to provide near-real time assessments of all publicly disclosed vulnerabilities. This requires developing partnerships with data providers and establishing an infrastructure from which we can provide a publicly-accessible interface for EPSS scores. We are already ingesting multiple open and commercial datasets, and our most critical data are those that can identify instances of actual vulnerability exploitation (i.e. exploits in the wild), which can come from many sources:
intrusion detection systems, honeypots, network observatories, malware analysis and detection efforts, and other sensor networks.
If you know of any potential data that could improve this effort, please let us know! We can be reached at epss-chairs@first.org.
Usage Agreement
EPSS is an emerging standard developed by a volunteer group of researchers, practitioners, academics and government personnel. We grant the use of EPSS scores freely to the public, subject to the conditions below. We reserve the right to update the model and these webpages periodically, as necessary, though we will make every attempt to provide sufficient notice to users in the event of material changes. While membership in the EPSS SIG is not required to use or implement EPSS, however, we ask that if you are using EPSS, that you provide appropriate attribution where possible. EPSS can be cited either from this website (e.g. "See EPSS at https://www.first.org/epss), or as: Jay Jacobs, Sasha Romanosky, Benjamin Edwards, Michael Roytman, Idris Adjerid, (2021), Exploit Prediction Scoring System, Digital Threats Research and Practice, 2(3)
Chairs
- Sasha Romanosky, RAND
- Jay Jacobs, Cyentia
Creators
- Jay Jacobs, Cyentia
- Sasha Romanosky, RAND
- Ben Edwards, Cyentia
- Idris Adjerid, Virginia Tech
- Michael Roytman, Cisco
Data Team
- Jay Jacobs, Cyentia
- Sasha Romanosky, RAND
- Ben Edwards, Cyentia
- Armin Sarabi, University of Michigan
- Octavian Suciu, University of Maryland
- David Severski, Cyentia
SIG Members and Contributors
The EPSS SIG includes over 200 members from around the world, representing practitioners, researchers, government agencies, and software developers. Listed below are just a few of them.
- Luca Allodi, Eindhoven University of Technology (TU/e)
- Jeff Araujo, Interactions LLC
- Ken Armstrong, Intertek EWA-Canada
- Ashutosh Barot, Deloitte
- Matthew Biby, Satcom Direct
- M. Fatih Bulut, Ph.D., IBM T.J. Watson Research Center
- Ionut Mihai Chelalau
- Michele Campobasso, Eindhoven University of Technology (TU/e)
- Francesco Cipollone, AppSec Phoenix
- Jonathan Cran, Intrigue
- Michael Daniel, Cyber Threat Alliance (CTA)
- Leandro Pfleger de Aguiar, Siemens Corporation
- Dave Dugal, Juniper
- Josiah Dykstra, U.S. Department of Defense
- Steve Finegan
- Jerry Gamblin, Cisco
- David Gatey, RMS
- David Glosser
- Walter Haydock
- Jeff Hanson, Unify Consulting
- Margaux Hoaglund, Citi
- R.D. Keith, Accenture
- Jim Kohli, GE Healthcare
- Kent Landfield, McAfee
- Enrico Lovat, Siemens Corporation
- Thomas Millar, U.S. Department of Homeland Security, Cybersecurity and Infrastructure Security Agency (CISA)
- Alana Maurushat, Western Sydney University, Australia
- Daniel Sadoc Menasche, Universidade Federal do Rio de Janeiro
- Jorge Orchilles, SCYTHE
- Sudhir Parikh
- Paolo Di Prodi, Fortinet
- Sam Ransbotham, Boston College
- Rafeeq Rehman
- Matilda Rhode, Airbus
- Vishvander Singh, Dell
- Stephen Shaffer, Peloton Interactive
- Jonathan M. Spring, U.S. Department of Homeland Security, Cybersecurity and Infrastructure Security Agency (CISA)
- Octavian Suciu, University of Maryland
- Alexis Waché, Chubb
- Ken Williams, Broadcom
- Melissa Vice, U.S. Department of Defense Cyber Crime Center (DC3)
FIRST Support
All of us are very grateful to Grace Staley and Guilherme Capilé for their administrative and technical support.
