Exploit Prediction Scoring System (EPSS)
Mission
The Exploit Prediction Scoring System (EPSS) is an open, data-driven effort for predicting when software vulnerabilities will be exploited. The goal of this effort is to assist network defenders in better prioritizing vulnerability remediation efforts and defend their networks. While other efforts have been useful for capturing innate characteristics of a vulnerability, and provide measures of severity, they are limited in their practical ability to assess threat. EPSS fills that gap because it uses current threat information, from CVE and real-world exploit data.
Goals & Deliverables
While we have already developed a working model ((version 1.0)[https://arxiv.org/abs/1908.04856]). We seek to develop the next version of EPSS with expanded depth and breadth of data, while also improving the overall reliability of data collection in order to provide near-real time assessments of publicly disclosed vulnerabilities. This requires developing partnerships with potential data providers (e.g. threat intelligence companies, IDS sensor networks, etc) and establishing a solid infrastructure from which we can provide a publicly-accessible interface for EPSS scores.
Chairs
- Sasha Romanosky, RAND, Co-chair
- Jay Jacobs, Cyentia, Co-chair
- Eireann Leverett, Concinnity Risks, Co-chair
Creators
- Jay Jacobs, Cyentia
- Sasha Romanosky, RAND
- Ben Edwards, Cyentia
- Idris Adjerid, Virginia Tech
- Michael Roytman, Kenna Security
SIG Members and Contributors
- Lilian Ablon
- Luca Allodi, Eindhoven University of Technology (TU/e)
- Ken Armstrong, Intertek EWA-Canada
- Ionut Mihai Chelalau
- Michele Campobasso, Eindhoven University of Technology (TU/e)
- Michael Daniel, Cyber Threat Alliance
- Leandro Pfleger de Aguiar, Siemens Corporation
- Dave Dugal, Juniper
- Josiah Dykstra, U.S. Department of Defense
- David Gatey, RMS
- Seth Hanford, Proofpoint
- Margaux Hoaglund, Citi
- Kristopher Johnson, U.S. Department of Defense Cyber Crime Center (DC3)
- R.D. Keith, Accenture
- Jim Kohli, GE Healthcare
- Arkadeep Kundu, Dell
- Thomas Millar, U.S. Department of Homeland Security, Cybersecurity and Infrastructure Security Agency (CISA)
- Alana Maurushat, Western Sydney University, Australia
- Daniel Sadoc Menasche, Universidade Federal do Rio de Janeiro
- Kent Landfield, McAfee
- Enrico Lovat, Siemens Corporation
- Jorge Orchilles, SCYTHE
- Sam Ransbotham, Boston College
- Matilda Rhode, Airbus
- Jonathan M. Spring, CERT/CC, Software Engineering Institute, Carnegie Mellon University.
- Octavian Suciu, University of Maryland
- Ken Williams, Broadcom
- Paolo Di Prodi, Fortinet
- M. Fatih Bulut, Ph.D., IBM T.J. Watson Research Center
- Steve Finegan
- Sudhir Parikh