The new machine learning (ML) based Exploit Prediction Scoring System (EPSS) can help overcome limitations from existing vulnerability tracking systems, according to a study by Rezilion.
According to Rezilion, leading vulnerability tracking systems such as the Common Vulnerability Scoring System (CVSS) and the catalog of Known Exploited Vulnerabilities (KEV) maintained by the US Cybersecurity and Infrastructure Security Agency (CISA) still fall short at effectively predicting the severity and exploitability of a vulnerability, leaving the need for a complete and accurate scoring system.
“Relying solely on a CVSS severity score to assess the risk of individual vulnerabilities has been shown to be equivalent to randomly selecting vulnerabilities for remediation,” said the study. “Additional context is required in order to allow for a more scalable and effective prioritization strategy.”
Issues with CVSS and KEV
The study notes that CVSS isn’t scalable or effective and doesn’t even reflect the actual risk. To support its claim, Rezilion said that more than 57% of the vulnerabilities currently listed in the US National Vulnerability Database (NVD) with CVSS V3 have a high or critical base score, while an average organization can only patch around 10% of the vulnerabilities in its environment each month.
In a recent survey conducted with Ponemon, Rezilion found huge vulnerability backlogs and patching debt reported by most surveyed organizations.
Fewer than 5% of vulnerabilities will ever be exploited and only a fraction of those vulnerabilities will be exploitable in the context of a given environment, it said, noting that zeroing in on the highly exploitable ones is most critical and CVSS fails at that.