Exploit Prediction Scoring System
Information security standard
From Wikipedia, the free encyclopedia
The Exploit Prediction Scoring System (EPSS) is a technical standard managed by FIRST for estimating the probability a publicly disclosed software vulnerability will be exploited in the wild within the next 30 days.[1][2] EPSS is complementary to the Common Vulnerability Scoring System.[1] Combining EPSS and CVSS aligns remediation with actual threat activity.[3][4]
| EPSS | |
|---|---|
| Exploit Prediction Scoring System | |
| Year started | 2021 |
| Latest version | Version 4 |
| Organization | FIRST |
| Domain | Information security |
| Website | www |
History
The original concept and prototype were presented by researchers Michael Roytman, Jay Jacobs, and Sasha Romanosky at Black Hat in 2019.[5] In April 2020 FIRST started a special interest group to develop the standard.[6]
Versions
- 7 January 2021 – Public publication of daily EPSS scores began (model v1).[7]
- 4 February 2022 – Version 2 incorporated additional telemetry sources and algorithmic improvements.
- 7 March 2023 – Version 3 introduced gradient-boosted decision trees and expanded feature sets.
- 17 March 2025 – Version 4 added contextual threat-intelligence feeds and performance gains.[1]
Adoption
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) encourages using EPSS alongside its Known Exploited Vulnerabilities Catalog for patch triage.[8] Major vulnerability-management platforms, such as Rapid7, Tenable, and Qualys, integrate EPSS scores for risk-based patching.[5] Academic research uses EPSS to model exploit trends and evaluate defenses.[9]