FAQ

No, EPSS does not replace CVSS: the two systems are complementary. CVSS provides a structural measurement of severity, useful for understanding the potential impact of a vulnerability. EPSS, on the other hand, provides a behavioral and predictive measurement, focused on the actual likelihood of exploitation.

Together, these two scores allow for a more accurate risk assessment, both theoretical and operational. Many companies adopt a hybrid approach, for example by only addressing vulnerabilities that have both a CVSS ≥ 7 and an EPSS ≥ 0.5, or by using risk matrices enriched with both indicators.

EPSS complements CVSS by adding a temporal and behavioral dimension to vulnerability assessment. CVSS measures the severity of a flaw based on intrinsic properties (impact, complexity, accessibility), but says nothing about the actual likelihood of exploitation. EPSS fills this gap by analyzing real-world data, such as trends observed in honeypots, vulnerability search engines, or threat intelligence feeds.

This complementarity is valuable for risk management: a flaw may be critical according to CVSS but unexploited (low EPSS), or appear mild in theory but widely used in automated attacks. Using both scores together helps define more relevant and grounded priorities.

EPSS stands for Exploit Prediction Scoring System. It is a probabilistic model that assigns each vulnerability (typically identified by a CVE) a likelihood of being exploited within 30 days of observation.

The purpose of EPSS is to complement other evaluation systems (such as CVSS) by adding a dynamic and contextual layer based on real-world exploitation data. This helps organizations better prioritize their remediation efforts according to actual risk.

The CVSS (Common Vulnerability Scoring System) measures the severity of a vulnerability by assigning it a score from 0 to 10, where 10 represents an extremely critical flaw. It is designed to provide a standardized and objective evaluation of vulnerabilities so that organizations can compare and prioritize them accordingly.

This score takes into account several aspects: ease of exploitation, potential effects on confidentiality, integrity and availability, as well as the conditions required to carry out the attack. In summary, CVSS helps quantify the inherent danger level of a security flaw.

The CVSS scale ranges from 0.0 to 10.0, and each range is associated with a severity level:

• 0.0: None
• 0.1 to 3.9: Low
• 4.0 to 6.9: Medium
• 7.0 to 8.9: High
• 9.0 to 10.0: Critical

This classification allows organizations to filter vulnerabilities by severity, but it does not consider the specific context of each company. That’s why other criteria, such as active exploitation or the affected assets, should be included in the evaluation.

The CVSS score measures the intrinsic severity of a vulnerability, but not its actual exploitation or relevance in a specific environment. For example, a vulnerability may have a high score but be hard to exploit in your infrastructure, or conversely, a medium-score flaw might target a critical, unsegmented system.

To assess risk more accurately, it's important to include complementary indicators such as:

• The EPSS score (probability of actual exploitation)
• Inclusion in the KEV list (confirmed exploitation)
• The business or technical context of the affected environment

Thus, CVSS should be viewed as an indicator of severity, not a complete risk assessment.

CVSS is divided into three sub-scores:

• Base score: evaluates the intrinsic severity of the vulnerability, regardless of context. It is usually public.
• Temporal score: adjusts the rating based on factors such as exploit availability or the existence of a patch. It reflects the maturity of the threat.
• Environmental score: allows organizations to adapt the evaluation to their own context (asset importance, exposure, business impact). It is customized for each company.

By combining these three layers, the CVSS model becomes a more flexible tool for refining remediation priorities based on real-world conditions.

Yes, a CVSS score can evolve over time, especially when new information emerges. For example, a public exploit, a patch bypass, or confirmed active exploitation may lead analysts to revise the temporal score or even the base vector if an error was identified in the initial assessment.

Moreover, automated tools like those from the NVD regularly update CVSS scores based on field data and publications. It is therefore recommended that companies periodically revalidate their analyses, especially for critical vulnerabilities.

Yes, there is an official CVSS score calculator provided by the FIRST standards forum, which maintains the CVSS standard. It is available online at: https://www.first.org/cvss/calculator.

This calculator allows users to build a vector by selecting the relevant metrics, then automatically calculates the scores (base, temporal, environmental).