Comparing CVSS and EPSS: Addressing CVSS Problems with EPSS

What is CVSS?

CVSS, or the Common Vulnerability Scoring System, can be viewed as the weather forecast for cybersecurity professionals. CVSS a free and open industry standard designed to quantify and rank the severity of software vulnerabilities. Developed by the National Vulnerability Database (NVD), it has been the go-to choice for organizations worldwide to assess the potential risks posed by security vulnerabilities.

How Does CVSS Work?

Imagine a vulnerability emerges in a software system. CVSS steps in, assigning a score typically ranging from 0 to 10 to indicate the vulnerability’s severity. Here’s a breakdown of how it operates:

1. Base Score: This core component evaluates the intrinsic qualities of the vulnerability, considering factors such as how it’s accessed, its impact, and the complexity of exploitation.
2. Temporal Score: Vulnerabilities can evolve. The temporal score takes these changes into account, considering factors like the availability of patches or the ease of exploitation over time.
3. Environmental Score: Not all environments are equal. CVSS factors in the unique circumstances of a specific system, including the importance of the asset at risk.

What is EPSS?

EPSS, on the other hand, stands for Exploit Prediction Scoring System. This is where things get intriguing. EPSS is a relatively newer entrant in the world of cybersecurity, developed by researchers who sought a more proactive approach to security. While CVSS focuses on the impact of a vulnerability, EPSS takes a different angle by trying to predict the likelihood of an exploit occurring.

How Does EPSS Work?

EPSS takes a unique approach. Instead of focusing on the vulnerability itself, it analyzes historical data and trends to predict the probability of an exploit emerging.

1. Data Analysis: EPSS crunches numbers, examining past exploits, vulnerabilities, and the time it took for an exploit to emerge after the vulnerability was discovered.
2. Machine Learning Magic: EPSS doesn’t rely solely on human intuition. It employs machine learning algorithms to make predictions based on the historical data it has gathered.

Real-World Scenario: EPSS in Action

Imagine a company running a legacy system with known vulnerabilities. EPSS analyzes historical data and reveals that similar vulnerabilities in the past took an average of two weeks to be exploited. Armed with this information, the company expedites the patching process and intensifies monitoring during this critical window.

The Common Vulnerabilities and Exposures (CVE) System

Launched in September 1999, the common vulnerability and exploit (CVE) system was introduced as a standardized method for tracking vulnerabilities in software. Over the years, it has become the de facto method for identifying and cataloguing security vulnerabilities. Each vulnerability is assigned a unique identifier known as a CVE number, allowing security professionals, organizations, and governments to reference and address vulnerabilities consistently. However, the CVE system, despite its widespread adoption, is not without its share of challenges.

A Close Look at CVE’s Challenges

To better understand the need for a solution like EPSS, let’s delve deep into the challenges posed by CVE and CVSS, along with real-world examples that highlight these issues.

Challenge 1: Numbering and Scoring Process

The CVE system employs the Common Vulnerability Scoring System (CVSS) to assess the severity of vulnerabilities. CVSS is a widely used method for providing a qualitative measure of severity, but it has limitations. The CVE-assignment process has been criticized for its lack of transparency, and the severity scoring process using CVSS can sometimes produce misleading results.

Example 1: Inaccurate Severity Scoring

In the world of vulnerability management, accurately assessing the severity of a vulnerability is crucial. However, the CVSS-based severity scoring in the CVE system has faced criticism for its occasional inaccuracies. For instance, vulnerabilities that are not security-critical have been assigned high CVSS scores, leading to unnecessary urgency in addressing them.

Real-world Example: CVE-2020-19909, an integer-overflow bug in the curl tool and library for URL-based data transfers, was reported to the project in 2023. The CVSS scoring process initially rated it as “9.8 critical,” considering an integer overflow in a delay parameter as one of the most severe types of vulnerabilities possible. However, the curl argued that this was not a security problem and should not have been scored as such.

Example 2: Lack of Transparency

Another challenge with the CVE system is the lack of transparency in the numbering and scoring process. Often, it is unclear how CVE numbers are assigned, and the rationale behind severity scores can be opaque.

Real-world Example: Vulnerability assessments must be transparent and comprehensible. However, the CVSS scoring process has been criticized for its lack of clarity. Organizations and security professionals need a clear understanding of why a particular severity score was assigned to a vulnerability.

Challenge 2: Gaming the System

The prominence of CVE numbers has led to a scenario where the reputation of individuals or organizations reporting vulnerabilities can be enhanced. This situation has created an incentive for individuals or entities to actively manipulate the system for personal gain, often at the expense of accurate vulnerability assessment.

Example 3: Reputation-Based Manipulation

The prominence of CVE numbers has created an environment where the reputation of those who report vulnerabilities can be enhanced. Unfortunately, this has also led to attempts to manipulate the system for personal gain.

Real-world Example: In some cases, individuals or organizations have actively sought to gain recognition by reporting vulnerabilities, sometimes exaggerating the severity to boost their reputations. This not only distorts the vulnerability assessment process but also diverts attention and resources away from genuinely critical security issues.

Challenge 3: Inconsistent Severity Scoring

Another challenge is the inconsistency in the severity scoring process. Vulnerabilities that are not necessarily security-critical have been assigned high CVSS scores, causing unnecessary urgency in addressing them. This can lead to resource allocation problems and divert attention from more critical security issues.

Example 4: Misleading Severity Scores

Inconsistent severity scoring is another issue plaguing the CVE system. Vulnerabilities that may not pose significant security risks have been assigned high CVSS scores, leading to resource allocation problems and confusion among security professionals.

Real-world Example: A real-world example includes vulnerabilities being labelled as “critical” when they are not, causing unnecessary panic and diversion of resources. CVE-2020-19909 was ranked 9.8 (Critical) however curl looked at it and disputed that this is not a vulnerability, but rather a bug in the software. This often occurs when the severity scoring process relies on static metrics without considering the practical implications of the vulnerability.

EPSS as a Solution

Now that we have examined the challenges posed by CVE and CVSS, let’s explore how EPSS offers solutions to these problems.

Solution 1: Real-time Threat Assessment

EPSS introduces a dynamic probability score between 0 and 1, indicating the likelihood of a vulnerability being exploited in the near future, typically within the next 30 days. This real-time threat assessment takes into account a wide range of factors, including the vulnerability’s characteristics, historical data, and evolving threat landscape. Unlike CVSS, which provides a static severity score, EPSS offers continuous and adaptive risk assessment based on evolving threat data.

Solution 2: Contextual Prioritization

One of EPSS’s key strengths lies in its contextual prioritization. While CVSS relies on fixed metrics to assess severity, EPSS adapts to changing circumstances and emerging threats. It considers not only the innate characteristics of vulnerabilities but also their likelihood of exploitation in a specific environment. This contextual awareness empowers organizations to prioritize vulnerabilities based on the actual risk to their unique systems and data.

Solution 3: Proactive Remediation

EPSS’s ability to predict the likelihood of exploitation within a specific timeframe enables organizations to take proactive measures. Instead of reacting to vulnerabilities as they are discovered, organizations can anticipate potential threats and implement preventive measures. This proactive approach can significantly enhance an organization’s security posture and reduce the window of vulnerability.

Solution 4: Transparency and Accuracy

EPSS aims to provide transparency in its risk assessment process. By relying on data-driven threat information, EPSS reduces the potential for gaming the system or assigning inaccurate severity scores. Unlike CVSS, which can be influenced by subjective assessments, EPSS leverages objective data to assess the real-world risk associated with a vulnerability.

Conclusion

In an era where cybersecurity threats continue to evolve, innovative approaches like EPSS are essential to enhancing the accuracy and effectiveness of vulnerability assessments. While CVE and CVSS have played significant roles in vulnerability management, it’s crucial to explore new methodologies that can adapt to the ever-changing threat landscape. EPSS represents a significant step forward in this direction, offering a dynamic and data-driven approach to vulnerability assessment that aligns with the demands of modern cybersecurity.

By offering real-time threat assessment, contextual prioritization, proactive remediation, and transparency, EPSS addresses the shortcomings of the CVE system. Organizations can benefit from a more dynamic and accurate approach to vulnerability assessment, enabling them to stay ahead of evolving threats and make informed decisions to protect their systems and data.

 By Yakubu Birma and Ahmed Rufai,