A little help with the EPSS responses

I’m playing with the EPSS API

curl "https://api.first.org/data/v1/epss?cve=CVE-2024-28816&pretty=true"

And getting the response

    "status": "OK",
    "status-code": 200,
    "version": "1.0",
    "access": "public",
    "total": 1,
    "offset": 0,
    "limit": 100,
    "data": [
            "cve": "CVE-2024-28816",
            "epss": "0.000430000",
            "percentile": "0.071720000",
            "date": "2024-03-14"

Can anyone describe how I can interpret these results for each CVE please?

In the API response;

epss is the probability of exploitation activity (a value between 0 and 1) in the next 30 days.

Which begs the question; what is a high probability in the context of all CVEs?

This is where the percentile comes in to add the context.

In your example it is saying the data is in the (roughly) 7th percentile. What that means is 7% of data has a lower EPSS score (probability of being exploited), 93% has a higher score.

In simpler terms; the higher the percentile, the more chance this CVE is currently at risk of being exploited.

The date property is also critical here. EPSS data is updated every day for each published CVE. This means the EPSS score could (and is very likely to) change on a daily basis.

For example, if new information is discovered about a CVE it might increase the probability that it’s exploited. Generally over longer periods of time, the older a vulnerability is, the less likely it is to be exploited (although of course, this is not true in every case).

Vulcan have a much better write up on this topic that I would also recommend reading: EPSS: The ultimate guide