In the conversation around vulnerability management and scoring, one often overlooked aspect is the vulnerability’s actual exploitability. Organizations generally prioritize vulnerability based on criticality such as critical or high, as well as scores, often defined by sources such as the Common Vulnerability Scoring System (CVSS). The problem with this method of vulnerability prioritization is that it doesn’t account for whether or not the vulnerabilities are actually exploitable. This leads to organizations focusing on vulnerabilities that might not actually pose any risk. The Exploit Prediction Scoring System (EPSS) is an emerging system that hopes to help solve this problem.
Already a Subscriber? Log In
Access to this content requires a Premium or Corporate or Vendor plan.