Exploit Prediction Scoring System

EPSS
EPSS
Exploit Prediction Scoring System
Year started	2021
Latest version	Version 4
Organization	FIRST
Domain	Information security
Website	www.first.org/epss

The Exploit Prediction Scoring System (EPSS) is a technical standard managed by FIRST for estimating the probability a publicly disclosed software vulnerability will be exploited in the wild within the next 30 days.^[1]^[2] EPSS is complementary to the Common Vulnerability Scoring System.^[1] Combining EPSS and CVSS aligns remediation with actual threat activity.^[3]^[4]

Characteristics

Vulnerabilities get assigned a probability value between 0 and 1 that determines the chance of them being exploited in the real world.^[5]

History

The original concept and prototype were presented by researchers Michael Roytman, Jay Jacobs, and Sasha Romanosky at Black Hat in 2019.^[6] In April 2020 FIRST started a special interest group to develop the standard.^[7]

Versions

7 January 2021 – Public publication of daily EPSS scores began (model v1).^[8]
4 February 2022 – Version 2 incorporated additional telemetry sources and algorithmic improvements.
7 March 2023 – Version 3 introduced gradient-boosted decision trees and expanded feature sets.
17 March 2025 – Version 4 added contextual threat-intelligence feeds and performance gains.^[1]

Adoption

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) encourages using EPSS alongside its Known Exploited Vulnerabilities Catalog for patch triage.^[9] Major vulnerability-management platforms, such as Rapid7, Tenable, and Qualys, integrate EPSS scores for risk-based patching.^[6] Academic research uses EPSS to model exploit trends and evaluate defenses.^[10]

References

1 2 3 "EPSS Version 4 Released". FIRST. 17 March 2025. Retrieved 14 April 2025.
↑ Kovacs, Eduard (2025-05-20). "Vulnerability Exploitation Probability Metric Proposed by NIST, CISA Researchers". SecurityWeek. Retrieved 2026-03-15.
↑ Jiang, Yuning; Oo, Nay; Meng, Qiaoran; Hoon Wei Lim; Sikdar, Biplab (12 February 2025). "A Survey on Vulnerability Prioritization: Taxonomy, Metrics, and Challenges". arXiv:2502.11070 [cs.CR].
↑ Ravalico, Damiano; Farina, Mauro; Trevisan, Martino; Bartoli, Alberto (2025). "Analysing the Temporal Dynamics of the Exploit Prediction Scoring Systems (Epss)". doi.org. Retrieved 2026-03-15.
↑ "Exploit Prediction Scoring System (EPSS) Special Interest Group (SIG)". FIRST — Forum of Incident Response and Security Teams. Retrieved 2026-04-16.
1 2 "What Is an EPSS Score?". Brinqa. 10 February 2024. Retrieved 14 April 2025.
↑ "EPSS Special Interest Group Portal". FIRST. Retrieved 14 April 2025.
↑ "Understanding and Using the EPSS Scoring System". FOSSA Blog. 20 January 2023. Retrieved 14 April 2025.
↑ Parla, Rianna (4 November 2024). "Efficacy of EPSS in High Severity CVEs Found in CISA KEV". arXiv:2411.02618 [cs.CR].
↑ Mell, Peter; Bojanova, Irena; Galhardo, Carlos (1 May 2024). "Measuring the Exploitation of Weaknesses in the Wild". arXiv:2405.01289 [cs.CR].

External links

[FIRST2025-1] 1 2 3 "EPSS Version 4 Released". FIRST. 17 March 2025. Retrieved 14 April 2025.

[2] Kovacs, Eduard (2025-05-20). "Vulnerability Exploitation Probability Metric Proposed by NIST, CISA Researchers". SecurityWeek. Retrieved 2026-03-15.

[Jiang-3] Jiang, Yuning; Oo, Nay; Meng, Qiaoran; Hoon Wei Lim; Sikdar, Biplab (12 February 2025). "A Survey on Vulnerability Prioritization: Taxonomy, Metrics, and Challenges". arXiv:2502.11070 [cs.CR].

[4] Ravalico, Damiano; Farina, Mauro; Trevisan, Martino; Bartoli, Alberto (2025). "Analysing the Temporal Dynamics of the Exploit Prediction Scoring Systems (Epss)". doi.org. Retrieved 2026-03-15.

[5] "Exploit Prediction Scoring System (EPSS) Special Interest Group (SIG)". FIRST — Forum of Incident Response and Security Teams. Retrieved 2026-04-16.

[Brinqa-6] 1 2 "What Is an EPSS Score?". Brinqa. 10 February 2024. Retrieved 14 April 2025.

[EPSSSIG-7] "EPSS Special Interest Group Portal". FIRST. Retrieved 14 April 2025.

[FOSSA2023v1-8] "Understanding and Using the EPSS Scoring System". FOSSA Blog. 20 January 2023. Retrieved 14 April 2025.

[Parla-9] Parla, Rianna (4 November 2024). "Efficacy of EPSS in High Severity CVEs Found in CISA KEV". arXiv:2411.02618 [cs.CR].

[Mell-10] Mell, Peter; Bojanova, Irena; Galhardo, Carlos (1 May 2024). "Measuring the Exploitation of Weaknesses in the Wild". arXiv:2405.01289 [cs.CR].

[1]