For many years, software or hardware vulnerabilities have received a “severity score,” a rating of how much damage the vulnerability could cause if malicious actors exploited it. However, this severity score does not provide defenders with a crucial piece of information – what is the likelihood that vulnerability will be exploited? Given limited resources, network defenders would prioritize patching a moderate severity vulnerability with a high likelihood of exploitation over patching an extremely severe vulnerability with a very low likelihood of exploitation. The Exploit Prediction Scoring System attempts to fill this knowledge gap by providing an estimate of the likelihood that a given vulnerability will be exploited in the near future.
Join Michael Daniel, Sasha Romanosky (RAND Corporation), and Jay Jacobs (Cyentia) as they discuss EPSS and how it can help defenders, researchers, and policy makers in improving cybersecurity across our digital ecosystem.