# Exploit Prediction Scoring System

> Mediated Wiki article. Canonical URL: https://mediated.wiki/source/Exploit_Prediction_Scoring_System
> Markdown URL: https://mediated.wiki/source/Exploit_Prediction_Scoring_System.md
> Source: https://en.wikipedia.org/wiki/Exploit_Prediction_Scoring_System
> Source revision: 1349269650
> License: Creative Commons Attribution-ShareAlike 4.0 International (https://creativecommons.org/licenses/by-sa/4.0/)

Information security standard

EPSS Exploit Prediction Scoring System Year started 2021 Latest version Version 4 Organization FIRST Domain Information security Website www.first.org/epss

The **Exploit Prediction Scoring System** (**EPSS**) is a [technical standard](/source/Technical_standard) managed by [FIRST](/source/Forum_of_Incident_Response_and_Security_Teams) for estimating the probability a publicly disclosed software [vulnerability](/source/Vulnerability_(computer_security)) will be [exploited](/source/Exploit_(computer_security)) in the wild within the next 30 days.[1][2] EPSS is complementary to the [Common Vulnerability Scoring System](/source/Common_Vulnerability_Scoring_System).[1] Combining EPSS and CVSS aligns remediation with actual threat activity.[3][4]

## Characteristics

Vulnerabilities get assigned a [probability](/source/Probability) value between 0 and 1 that determines the chance of them being exploited in the real world.[5]

## History

The original concept and prototype were presented by researchers Michael Roytman, Jay Jacobs, and Sasha Romanosky at [Black Hat](/source/Black_Hat_(conference)) in 2019.[6] In April 2020 FIRST started a [special interest group](/source/Special_interest_group) to develop the standard.[7]

### Versions

- 7 January 2021 – Public publication of daily EPSS scores began (model v1).[8]

- 4 February 2022 – Version 2 incorporated additional telemetry sources and algorithmic improvements.

- 7 March 2023 – Version 3 introduced gradient-boosted decision trees and expanded feature sets.

- 17 March 2025 – Version 4 added contextual threat-intelligence feeds and performance gains.[1]

## Adoption

The U.S. [Cybersecurity and Infrastructure Security Agency](/source/Cybersecurity_and_Infrastructure_Security_Agency) (CISA) encourages using EPSS alongside its [Known Exploited Vulnerabilities Catalog](https://en.wikipedia.org/w/index.php?title=Known_Exploited_Vulnerabilities_Catalog&action=edit&redlink=1) for patch triage.[9] Major vulnerability-management platforms, such as Rapid7, Tenable, and Qualys, integrate EPSS scores for risk-based patching.[6] Academic research uses EPSS to model exploit trends and evaluate defenses.[10]

## References

1. ^ [***a***](#cite_ref-FIRST2025_1-0) [***b***](#cite_ref-FIRST2025_1-1) [***c***](#cite_ref-FIRST2025_1-2) ["EPSS Version 4 Released"](https://www.first.org/epss/). *FIRST*. 17 March 2025. Retrieved 14 April 2025.

1. **[^](#cite_ref-2)** Kovacs, Eduard (2025-05-20). ["Vulnerability Exploitation Probability Metric Proposed by NIST, CISA Researchers"](https://www.securityweek.com/vulnerability-exploitation-probability-metric-proposed-by-nist-cisa-researchers/). *SecurityWeek*. Retrieved 2026-03-15.

1. **[^](#cite_ref-Jiang_3-0)** Jiang, Yuning; Oo, Nay; Meng, Qiaoran; Hoon Wei Lim; Sikdar, Biplab (12 February 2025). "A Survey on Vulnerability Prioritization: Taxonomy, Metrics, and Challenges". [arXiv](/source/ArXiv_(identifier)):[2502.11070](https://arxiv.org/abs/2502.11070) [[cs.CR](https://arxiv.org/archive/cs.CR)].

1. **[^](#cite_ref-4)** Ravalico, Damiano; Farina, Mauro; Trevisan, Martino; Bartoli, Alberto (2025). ["Analysing the Temporal Dynamics of the Exploit Prediction Scoring Systems (Epss)"](https://doi.org/10.2139/ssrn.5147459). *doi.org*. Retrieved 2026-03-15.

1. **[^](#cite_ref-5)** ["Exploit Prediction Scoring System (EPSS) Special Interest Group (SIG)"](https://www.first.org/epss/). *FIRST — Forum of Incident Response and Security Teams*. Retrieved 2026-04-16.

1. ^ [***a***](#cite_ref-Brinqa_6-0) [***b***](#cite_ref-Brinqa_6-1) ["What Is an EPSS Score?"](https://www.brinqa.com/glossary/what-is-epss-score/). *Brinqa*. 10 February 2024. Retrieved 14 April 2025.

1. **[^](#cite_ref-EPSSSIG_7-0)** ["EPSS Special Interest Group Portal"](https://portal.first.org/g/epss-sig). *FIRST*. Retrieved 14 April 2025.

1. **[^](#cite_ref-FOSSA2023v1_8-0)** ["Understanding and Using the EPSS Scoring System"](https://fossa.com/blog/understanding-using-epss-scoring-system/). *FOSSA Blog*. 20 January 2023. Retrieved 14 April 2025.

1. **[^](#cite_ref-Parla_9-0)** Parla, Rianna (4 November 2024). "Efficacy of EPSS in High Severity CVEs Found in CISA KEV". [arXiv](/source/ArXiv_(identifier)):[2411.02618](https://arxiv.org/abs/2411.02618) [[cs.CR](https://arxiv.org/archive/cs.CR)].

1. **[^](#cite_ref-Mell_10-0)** Mell, Peter; Bojanova, Irena; Galhardo, Carlos (1 May 2024). "Measuring the Exploitation of Weaknesses in the Wild". [arXiv](/source/ArXiv_(identifier)):[2405.01289](https://arxiv.org/abs/2405.01289) [[cs.CR](https://arxiv.org/archive/cs.CR)].

## External links

- [Official website](https://www.first.org/epss)

- [EPSS Data](https://www.first.org/epss/data_stats)

---
Adapted from the Wikipedia article [Exploit Prediction Scoring System](https://en.wikipedia.org/wiki/Exploit_Prediction_Scoring_System) by Wikipedia contributors ([contributor history](https://en.wikipedia.org/wiki/Exploit_Prediction_Scoring_System?action=history)). Available under [Creative Commons Attribution-ShareAlike 4.0 International](https://creativecommons.org/licenses/by-sa/4.0/). Changes may have been made.