Skip to content
All posts

Simplifying Vulnerability Prioritization with EPSS 3.0

Cybersecurity teams face a constant challenge: how to prioritize vulnerabilities effectively. The Exploit Prediction Scoring System, or EPSS, has emerged as a game-changer in this realm, and its latest iteration, EPSS 3.0, takes this innovation to a whole new level.

Brown Peach Illustrative GreetingsSlogans Banner Landscape (3)

Understanding the Challenge

Before delving into EPSS 3.0, it's crucial to grasp the challenges organizations encounter in managing vulnerabilities. Traditionally, the Common Vulnerability Scoring System (CVSS) has been the go-to method for assessing the severity of vulnerabilities. However, CVSS alone often falls short in prioritizing risk effectively.

Many organizations, including governmental bodies like the US Federal Government and the Department of Defense (DoD), rely on CVSS severity scores to determine their vulnerability remediation timelines. While this may seem like a logical approach, the reality is that fewer than 10% of known vulnerabilities are ever exploited in the wild. This means that organizations end up spending valuable time and resources on vulnerabilities that pose little to no real risk.

The EPSS Solution

Enter EPSS, a system designed to aid vulnerability prioritization efforts by predicting the likelihood of a vulnerability being exploited within the next 30 days. EPSS has been a boon for security practitioners and organizations seeking to enhance their vulnerability management activities.

Recent studies have revealed that organizations can only remediate between 5% and 20% of their vulnerabilities each month, leaving them perpetually behind the curve as the number of emerging vulnerabilities continues to grow. EPSS addresses this challenge by helping organizations focus their efforts on vulnerabilities with actual proof or a high probability of exploitation.

A common strategy in vulnerability prioritization, often recommended by sources like PCI and federal vulnerability management guidelines, involves remediating vulnerabilities based on predefined timeframes after initial detection, primarily relying on CVSS severity scores. However, as mentioned earlier, this approach doesn't account for the fact that most vulnerabilities are never exploited.

EPSS 3.0: Taking Prioritization to New Heights

EPSS 3.0 represents a significant evolution in vulnerability management. According to the EPSS team, this version offers an impressive 82% performance improvement over its predecessors. This improvement is critical given the exponential growth of vulnerabilities; in 2022, the NIST National Vulnerability Database (NVD) saw a 24.3% increase in vulnerabilities compared to the previous year, totaling more than 25,000 vulnerabilities in just one year.

Despite this surge in vulnerabilities, organizations typically remediate only about 15.5% of their open vulnerabilities each month. This backlog leaves organizations constantly struggling to catch up, with some reporting backlogs exceeding 100,000 vulnerabilities.

EPSS aims to streamline this process by pinpointing vulnerabilities most likely to be exploited in the next 30 days. It does this by leveraging various sources, including Fortiguard, Alienvault OTX, the Shadow Server Foundation, and GreyNoise. These sources employ diverse techniques to identify exploitation attempts in digital environments worldwide. EPSS also utilizes over 1,400 features for predicting exploitation activity, including published exploit code, public vulnerability lists, offensive security tools, and vulnerability age, among others.

Proven Effectiveness

To validate the performance improvements in EPSS 3.0, the EPSS special interest group conducted rigorous testing. They measured the system's ability to predict vulnerability exploitation over 30 days using the aforementioned features. Comparing the results to previous EPSS versions and CVSS v3 base scores revealed EPSS 3.0's superiority.

A Data-Driven Approach

While EPSS isn't without its limitations, it presents a robust, data-driven approach to help organizations focus on vulnerabilities with the highest threat potential based on probable exploitation activity. As the cybersecurity landscape continues to evolve, EPSS complements existing resources like CVSS and offers a smarter, more efficient way to address the most significant threats.




EPSS 3.0 is a pivotal advancement in vulnerability prioritization. It empowers organizations to make data-driven decisions, minimize resource wastage, and efficiently address vulnerabilities that genuinely matter. As the digital world becomes increasingly complex, tools like EPSS are essential for staying ahead of the cybersecurity curve. Explore EPSS further to unlock the potential of smarter vulnerability management.

Ready to enhance your digital security further? Don't forget to explore Codenotary's Enterprise TrustCenter, the ultimate solution for securing your software supply chain. Let's embark on this journey together, embracing continuous exploration, learning, and development to make the digital world more secure and efficient!