All Things Open<p>🚀 NEW on We ❤️ Open Source 🚀</p><p>Nigel Douglas explains why CVSS scores alone don’t cut it anymore. Learn how EPSS, VEX, SSVC & reachability analysis provide real-world prioritization.</p><p>Read more: <a href="https://allthingsopen.org/articles/vulnerability-prioritization-beyond-cvss" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">allthingsopen.org/articles/vul</span><span class="invisible">nerability-prioritization-beyond-cvss</span></a></p><p><a href="https://mastodon.social/tags/WeLoveOpenSource" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>WeLoveOpenSource</span></a> <a href="https://mastodon.social/tags/Cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Cybersecurity</span></a> <a href="https://mastodon.social/tags/EPSS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>EPSS</span></a> <a href="https://mastodon.social/tags/OpenSourceSecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OpenSourceSecurity</span></a> <a href="https://mastodon.social/tags/VulnerabilityManagement" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>VulnerabilityManagement</span></a> <a href="https://mastodon.social/tags/DevSecOps" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DevSecOps</span></a></p>
#epss
0 posts0 participants0 posts today
Register for Want an action-packed docket of dynamic speakers and cross-industry topics? Look no further,
Register for VulnCon25 today! 
https://go.first.org/jDHDu #vulnerabilitymanagement #CVE #CVSS #EPSS #CISA #MITRE #VEX #Raleigh
FIRST — Forum of Incident Response and Security TeamsCVE Program & FIRST VulnCon 2025
Do you want to be a part of the 40+ action-packed sessions at VulnCon25? If you said yes, now is your chance to submit your paper today! CFP has been extended until Jan 31st. 
#vulnerabilitymanagement #CVE #CVSS #EPSS #CISA #MITRE #VEX #Raleigh https://go.first.org/MPudV
FIRST — Forum of Incident Response and Security TeamsCVE Program & FIRST VulnCon 2025
One of the reasons why I personally am not a fan of the Exploit Prediction Scoring System (#EPSS). It gives a false sense of predictability. Or in words of Taleb: "Giving someone the wrong map is worse than giving them no map at all."
#InfoSec #CyberSecurity #AppSec #Pentesting #Hacking #BugBounty #CVE https://infosec.exchange/@malwaretech/113053510106702891
Infosec ExchangeMarcus Hutchins :verified: (@malwaretech@infosec.exchange)Wanted to share my thread about vulnerability scoring and overhyping vulnerabilities here too. It primarily stemmed from the discussion about whether CVE-2024-38063 was overhyped or not, but I think it translates well to vulnerability scoring in general.
Many people like to blame vendors or shortcomings in CVSS for overhyping vulnerabilities, but a lot of the time it's just that vulnerability scoring is really really difficult, especially for memory corruption vulnerabilities.
On a technical level, it's hard to know whether a memory corruption is practically and reliably exploitable. Whilst the person who discovered it may not have a stable exploit, someone could later come along and find a different technique that makes the exploit code infinitely more reliable.
Even in cases where a very severe vulnerability is reliably exploitable, widespread exploitation isn't guaranteed. Due to the mechanics of the cybercrime economy, there are very few skilled exploit developers on that side of things. Most of the high caliber vulnerability researchers are either doing cybersecurity work, or selling CNE capabilities to governments.
As a result, a lot of n-day exploitation is going to be low-level targeted attacks by state-sponsored threat actors, rather than indiscriminate mass exploitation by cybercriminals. To many outsiders, it may even appear as if a vulnerability never got picked up and exploited at all. The only people who are going to know any different are the unlucky chosen ones who got targeted.
The five alarm fires, which many of these dire warnings like "this vulnerability is wormable" and "drop everything & patch now" seek to avoid, are near impossible to predict in reality. The WannaCrys, and the BlueKeeps usually have external aggravating factors. In both cases, this was fully function exploit code being released publicly. Most threat actors don't have top-tier exploit development capabilities, but every single one of them can use Google.
The difference between a typical cybersecurity incident and the worst ransomware attack the world has ever seen, can be as simple as one person's decision to publish exploit code. Nobody has a crystal ball to tell if or when that might happen, but by the time it does, it's way too late to start issuing warnings.
So if you're feeling frustrated having to drop everything to patch yet another nothing-burger CVSS 9.0+ vulnerability, just remember that the decision of a single individual can quickly turned that nothing-burger into a threat actor spray & pray free-for-all.
We need metrics to figure out which #CVE matter
There is a group of people screaming we should just fix all the vulnerabilities by upgrading everything constantly (it seem obvious these people have never actually maintained software for more than 3 months)
Without a way to prioritize fixes, we can't move from this "fix all the criticals in one Scaramucci"
This is probably why #EPSS is getting so much attention. It's the least terrible scoring system we have at the moment
If you took all vulnerability exploitation attempts targeting your organization and grouped them into three buckets of new, active, and dormant - it might look like this.
The blue is the proportion of "active" exploits that your sensors have registered in the recent past.
Exploits represented by the teal area have been attacked in the past but have gone dormant for a time (it's been a while since you've seen them).
The red undercurrent corresponds to new exploits never seen before.
My takeaway? Newly exploited vulns get the most *attention*, but
the older ones get the most *action*.
#vulnerabilitymanagement #vulnerability #vulnerabilities
#vulnerability_exploits #exploit #exploitation #cyberattack #cyberattacks #epss #cvss #kev
This comes from a brand new Cyentia Institute study exploring years of exploitation activity. It's available here with no registration required: https://www.cyentia.com/epss-study/
https://cvecrowd.com now shows #EPSS scores.
As one of the first feature requests since CVE Crowd launched, I'm happy to finally be able to fulfill it.
The score estimates the likelihood of a vulnerability being exploited in the wild.
As such, it can be used to prioritize remediation efforts.
I hope you like it!
cvecrowd.comCVE Crowd | Crowd Intelligence on CVEsKeep track of actively discussed CVEs and integrate them into your application or business!
Continued thread
3/n
Finally, I am a member of DHS’s Data Integrity and Privacy Advisory Committee, where we seek to advisor the Chief Privacy Office, and the Secretary, on important privacy matters.
My website: https://romanosky.net
#CVSS: https://www.first.org/cvss/
#EPSS: https://www.first.org/epss/
romanosky.netromanosky dot net
Continued thread
I’m addition, I am one of the original authors of #CVSS. Back almost 20 years ago, there was no open standard that could capture the severity of a #CVE, so it was the best we could do. And it worked. Pretty well, actually. For a while.
But now our thinking has evolved. Vuln severity isn’t enough. We want to know about exploitation in the wild. And so the amazing Jay Jacobs, I, and others developed #EPSS, an entirely data driven way of estimating the probability that a vuln will be exploited.