FAQ

The CVSS score measures the intrinsic severity of a vulnerability, but not its actual exploitation or relevance in a specific environment. For example, a vulnerability may have a high score but be hard to exploit in your infrastructure, or conversely, a medium-score flaw might target a critical, unsegmented system.

To assess risk more accurately, it's important to include complementary indicators such as:

• The EPSS score (probability of actual exploitation)
• Inclusion in the KEV list (confirmed exploitation)
• The business or technical context of the affected environment

Thus, CVSS should be viewed as an indicator of severity, not a complete risk assessment.

Yes, a CVSS score can evolve over time, especially when new information emerges. For example, a public exploit, a patch bypass, or confirmed active exploitation may lead analysts to revise the temporal score or even the base vector if an error was identified in the initial assessment.

Moreover, automated tools like those from the NVD regularly update CVSS scores based on field data and publications. It is therefore recommended that companies periodically revalidate their analyses, especially for critical vulnerabilities.

EPSS complements CVSS by adding a temporal and behavioral dimension to vulnerability assessment. CVSS measures the severity of a flaw based on intrinsic properties (impact, complexity, accessibility), but says nothing about the actual likelihood of exploitation. EPSS fills this gap by analyzing real-world data, such as trends observed in honeypots, vulnerability search engines, or threat intelligence feeds.

This complementarity is valuable for risk management: a flaw may be critical according to CVSS but unexploited (low EPSS), or appear mild in theory but widely used in automated attacks. Using both scores together helps define more relevant and grounded priorities.

The CVSS scale ranges from 0.0 to 10.0, and each range is associated with a severity level:

• 0.0: None
• 0.1 to 3.9: Low
• 4.0 to 6.9: Medium
• 7.0 to 8.9: High
• 9.0 to 10.0: Critical

This classification allows organizations to filter vulnerabilities by severity, but it does not consider the specific context of each company. That’s why other criteria, such as active exploitation or the affected assets, should be included in the evaluation.

CISA (Cybersecurity and Infrastructure Security Agency) is a U.S. government agency. It is responsible for protecting the critical infrastructure of the United States against cyber and physical threats, by providing support, tools, and recommendations to administrations, businesses, and the public.

In the cybersecurity field, CISA acts as a coordination center to prevent cyberattacks, respond to incidents, share threat information, and promote best security practices. Although based in the U.S., its role and resources influence cybersecurity practices worldwide, thanks to its transparency and leadership.

The EPSS model is developed and maintained by the FIRST (Forum of Incident Response and Security Teams) community, in collaboration with researchers, data analysts, and cybersecurity professionals. It is an open and collaborative project, with publicly documented methods and regularly updated results.

This model relies on large-scale statistical data and machine learning techniques. It is designed to be transparent, reproducible, and freely accessible, making it a reliable and practical tool for security teams worldwide.

CVSS is divided into three sub-scores:

• Base score: evaluates the intrinsic severity of the vulnerability, regardless of context. It is usually public.
• Temporal score: adjusts the rating based on factors such as exploit availability or the existence of a patch. It reflects the maturity of the threat.
• Environmental score: allows organizations to adapt the evaluation to their own context (asset importance, exposure, business impact). It is customized for each company.

By combining these three layers, the CVSS model becomes a more flexible tool for refining remediation priorities based on real-world conditions.

Yes, more and more organizations use EPSS as a priority criterion to decide which vulnerabilities to fix first, especially when dealing with a large volume of issues. Fixing all CVEs with a high CVSS score can be costly and inefficient, especially if some are never exploited. EPSS helps focus resources on truly dangerous vulnerabilities.

Some security policies now include EPSS-based thresholds, such as: “fix any vulnerability with an EPSS score > 0.7 within 48 hours.” This pragmatic approach accelerates remediation where it is most useful, while limiting unnecessary interruptions.

Yes, there is an official CVSS score calculator provided by the FIRST standards forum, which maintains the CVSS standard. It is available online at: https://www.first.org/cvss/calculator.

This calculator allows users to build a vector by selecting the relevant metrics, then automatically calculates the scores (base, temporal, environmental).

EPSS stands for Exploit Prediction Scoring System. It is a probabilistic model that assigns each vulnerability (typically identified by a CVE) a likelihood of being exploited within 30 days of observation.

The purpose of EPSS is to complement other evaluation systems (such as CVSS) by adding a dynamic and contextual layer based on real-world exploitation data. This helps organizations better prioritize their remediation efforts according to actual risk.

No, EPSS does not replace CVSS: the two systems are complementary. CVSS provides a structural measurement of severity, useful for understanding the potential impact of a vulnerability. EPSS, on the other hand, provides a behavioral and predictive measurement, focused on the actual likelihood of exploitation.

Together, these two scores allow for a more accurate risk assessment, both theoretical and operational. Many companies adopt a hybrid approach, for example by only addressing vulnerabilities that have both a CVSS ≥ 7 and an EPSS ≥ 0.5, or by using risk matrices enriched with both indicators.

CISA plays a central role in managing vulnerabilities on a large scale. It identifies, evaluates, and actively communicates about security flaws that could impact critical infrastructure, including government services, essential service operators, and large enterprises. It often collaborates with MITRE, software vendors, security researchers, and other international agencies.

Among its responsibilities, it publishes security bulletins, coordinates responses to major vulnerabilities, and sometimes mandates remediation deadlines for certain flaws in public entities through federal directives (BODs). Its goal is to reduce the time between the discovery of a vulnerability and its effective mitigation in the field.

EPSS scores are updated daily, reflecting the dynamic nature of threats and vulnerability exploitation. At any time, changes in the threat landscape (exploit releases, forum discussions, honeypot detections) can alter the likelihood of a CVE being targeted.

This frequent updating makes EPSS a more responsive tool than CVSS, whose scores rarely change once published. To fully benefit from EPSS, it is recommended to integrate automated feeds or APIs to continuously track scores.

The CVSS (Common Vulnerability Scoring System) measures the severity of a vulnerability by assigning it a score from 0 to 10, where 10 represents an extremely critical flaw. It is designed to provide a standardized and objective evaluation of vulnerabilities so that organizations can compare and prioritize them accordingly.

This score takes into account several aspects: ease of exploitation, potential effects on confidentiality, integrity and availability, as well as the conditions required to carry out the attack. In summary, CVSS helps quantify the inherent danger level of a security flaw.

The KEV (Known Exploited Vulnerabilities) list published by CISA identifies vulnerabilities that are actively exploited in the wild, meaning they are already being used in real-world cyberattacks. The purpose of this list is to help organizations prioritize their remediation efforts by focusing on the flaws that present an immediate threat.

By publishing this list, CISA provides a very practical risk management tool: it highlights not only known flaws, but also the most critical and urgent ones. For U.S. federal agencies, remediation of these flaws is mandatory within strict deadlines. Beyond the U.S., the KEV list is widely consulted by cybersecurity professionals worldwide to guide their patch management strategies.