Should You Use CVSS or EPSS for Risk Management?

You might know that it’s imperative to keep an eye on vulnerabilities in your security environment, but you also probably know that it’s sometimes tough to prioritize. With so many different ways to be attacked, what’s the best way to protect ourselves and our application security? How do we know what vulnerabilities to tackle first?

A good place to start for risk management is measuring the severity of each known vulnerability. Two common ways to score this are the Common Vulnerability Scoring System (CVSS) or the Exploit Prediction Scoring System (EPSS).

What is CVSS?

Basically, CVSS (v.3.1) tells you how severe my infrastructure’s vulnerabilities are. It uses a scale of 0.0 to 10.0. While CVSS can’t tell you what your risk of a breach is, it can give you an idea of how problematic a breach at a particular vector will be. This allows you to address the highest severity vulnerabilities first.

CVSS is calculated by looking at a base score, a temporal score, and an environmental score. These scores also have subscores that contribute to the scoring. Let’s break it down:

  • Base Score: How inherently vulnerable is your application? Several subscores contribute to this score.
    • User Interaction: How an attacker might get information from legitimate users to gain more access.
    • Privileges Required: How an attacker could exploit the vulnerability depending on access level..
    • Confidentiality, Integrity, and Availability: How private and unalterable a customer’s data is, plus how customers will be affected if an attack disrupts their data access.
    • Attack Complexity: How difficult it would be to attack repeatedly.
    • Authentication: How many times an attacker will have to authenticate his identity.
    • Temporal Score: How vulnerabilities may change over time due to updates, infrastructure changes, etc.
    • Exploitability: How practical it is for an attacker to use this particular vulnerability.
    • Remediation Level: How new fixes may change the ability of an attacker to exploit the vulnerability.
    • Report Confidence: How certain we are that the vulnerability really exists. Has it been exploited already by someone somewhere, or is it still purely theoretical?
  • Environmental Score: This is considered a Modified Base Score, which means it is a comparison that uses each subscore from the Base category but calculates it based on the individual company. This score is then compared to the Base score, which represents the typical score for an average organization.

What is EPSS?

EPSS measures the likelihood that a vulnerability will be exploited. Volunteers upload results determined by machine learning to a freely available database, and companies can go looking for the scores of certain vulnerabilities to determine how to prioritize their patches. Although it is still early in development, EPSS promises to become an important component of risk management.

As EPSS matures, the goal is for it to update vulnerability scores in real time so that companies can determine their risk as soon as they realize there is a new vulnerability.


The primary difference between CVSS and EPSS is their goals. The former quantifies the amount of damage an attack at a certain vector is likely to cause while the latter quantifies the likelihood that an attack at that vector will occur at all.

While CVSS can be manually calculated (or you can put your data into a CVSS calculator, like this one), EPSS relies on algorithms and machine learning. EPSS has the advantage of an extremely large data set, but CVSS is more transparent. CVSS reportedly generates more false positives than EPSS.

Although they are quite different measurements, CVSS and EPSS are complementary. Given the small number of vulnerabilities a company can reasonably patch in a given timespan, using CVSS to determine severity and then following up with EPSS to determine risk may be the best practice. This way, companies can first prioritize by critical status, and within that, the critical vulnerabilities most likely to be exploited.

Vulnerability and Risk Management at Scale

It’s nearly impossible for the average company to patch every possible vulnerability. Most organizations don’t have the money or the manpower to dedicate to a perfectly secure environment. Both CVSS and EPSS can be helpful for prioritization, and both offer helpful data.

Finding the risks isn’t the whole picture, though. If you know your company has vulnerabilities, how severe they are, and how likely they are to be exploited, you need to find a solution. To maximize your application security, you implement solutions like WAFs, WAAPs, or RASPs.

A WAF protects web apps from malicious code, secures data, and filters traffic. Although a WAF can’t fix the vulnerabilities in your web app’s code, it can help keep attackers away from them. WAAPs are similar to WAFs, but think of them like the next step up. They bring more sophisticated detection capabilities to the table.

It’s possible to use RASP alongside a WAAP or WAF. It acts as a second line of defense that will monitor your app’s execution. This means it will catch any atypical use of the app (and is usually built in for best results), and then it will block that suspicious activity.

None of these measures are guaranteed to eliminate vulnerabilities. However, by looking at your company’s vulnerabilities and risks, using both CVSS and EPSS, you can get a pretty good idea of where to patch. Neither measure is complete by itself, but using both of them offers me a fuller picture. Additionally, using virtual patch methods like WAFs, WAAPs, and RASPs can start addressing the vulnerabilities.

More Posts
How To Make Good News Float Up In Search Results