Exploit Prediction Scoring System (EPSS)
Mission
The Exploit Prediction Scoring System (EPSS) is an open, data-driven effort for predicting when software vulnerabilities will be exploited. Our goal is to assist network defenders to better prioritize vulnerability remediation efforts. While other industry standards have been useful for capturing innate characteristics of a vulnerability and provide measures of severity, they are limited in their ability to assess threat. EPSS fills that gap because it uses current threat information from CVE and real-world exploit data. The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.
Goals & Deliverables
We currently produce EPSS scores for all CVEs since January 1, 2017 -- over 60,000 vulnerabilities. In addition, the EPSS SIG is working to improve the maturity of data collection and analysis in order to provide near-real time assessments of all publicly disclosed vulnerabilities. This requires developing partnerships with data providers and establishing an infrastructure from which we can provide a publicly-accessible interface for EPSS scores. We are already ingesting multiple open and commercial datasets, and our most critical data are those that can identify instances of actual vulnerability exploitation (i.e. exploits in the wild), which can come from many sources:
intrusion detection systems, honeypots, network observatories, malware analysis and detection efforts, and other sensor networks.
If you know of any potential data that could improve this effort, please let us know! We can be reached at epps-chairs at first.org.
In addition, if you would like to join the EPSS special interest group, send us an email at epss-chairs at first.org. Anyone is welcome to join our mailing list, and Slack. We meet every other Friday at 11 am eastern time.
Chairs
- Sasha Romanosky, RAND, Co-chair
- Jay Jacobs, Cyentia, Co-chair
Creators
- Jay Jacobs, Cyentia
- Sasha Romanosky, RAND
- Ben Edwards, Cyentia
- Idris Adjerid, Virginia Tech
- Michael Roytman, Kenna Security
SIG Members and Contributors
- Lilian Ablon
- Luca Allodi, Eindhoven University of Technology (TU/e)
- Ken Armstrong, Intertek EWA-Canada
- Ionut Mihai Chelalau
- Michele Campobasso, Eindhoven University of Technology (TU/e)
- Jonathan Cran (Intrigue)
- Michael Daniel, Cyber Threat Alliance
- Leandro Pfleger de Aguiar, Siemens Corporation
- Dave Dugal, Juniper
- Josiah Dykstra, U.S. Department of Defense
- David Gatey, RMS
- Seth Hanford, Proofpoint
- Margaux Hoaglund, Citi
- Kristopher Johnson, U.S. Department of Defense Cyber Crime Center (DC3)
- R.D. Keith, Accenture
- Jim Kohli, GE Healthcare
- Arkadeep Kundu, Dell
- Thomas Millar, U.S. Department of Homeland Security, Cybersecurity and Infrastructure Security Agency (CISA)
- Alana Maurushat, Western Sydney University, Australia
- Daniel Sadoc Menasche, Universidade Federal do Rio de Janeiro
- Kent Landfield, McAfee
- Enrico Lovat, Siemens Corporation
- Jorge Orchilles, SCYTHE
- Sam Ransbotham, Boston College
- Matilda Rhode, Airbus
- Jonathan M. Spring, CERT/CC, Software Engineering Institute, Carnegie Mellon University.
- Octavian Suciu, University of Maryland
- Ken Williams, Broadcom
- Paolo Di Prodi, Fortinet
- M. Fatih Bulut, Ph.D., IBM T.J. Watson Research Center
- Steve Finegan
- Sudhir Parikh
