Back to articles

You can (not?) predict software vulnerabilities — thoughts on EPSS and SSVP.

Published Sep 9, 2022

Don’t get me wrong: I still appreciate EPSS as a significant breakthrough that, after decades of failed attempts, finally made some sense of important parameters that affect software exploitability and exploitation.

However, the importance of predictions (as opposed to reliable, up-to-date information and deterministic conclusions at hand) is as overrated as ever.

What is the difference between prediction and conclusion? You may assume that an exploit for a given vulnerability will be developed — that’s a prediction. There is a known, well-working exploit already, and we know that the attackers will weaponize it with the automation tools — that’s a conclusion.

So many people are (reasonably) questioning whether EPSS is ready for prime time and what a possible improvement could be. One interesting criticismcame from the SEI side along with a bold proposal: drop the scoring at all!

Yes, you are right. No more “quantitative” data in the “Stakeholder-Specific Vulnerability Prioritization”. Only “explainable decision trees”.

However, brave as it is, I think there is a fundamental flaw inherited from CVSS 3.1 “Environmental” metrics: the organization-specific contextual data are hard to obtain. Taking them as “qualitative” and suitable for decision-making does not provide much relief. There still would be a huge, enormous organizational burden — way too big for smaller companies struggling for survival.

Objectionable — maybe, EPSS, augmented with more solid CISA exploitations catalog is ready to use right now, for everyone, with next to zero overhead and just a bit of caution.