Add EPSS responses to Vulnerability Objects

We use EPSS scoring as part of our CVE prioritisation workflow.

You can access EPSS date freely via their API

curl ""
    "status": "OK",
    "status-code": 200,
    "version": "1.0",
    "access": "public",
    "total": 1,
    "offset": 0,
    "limit": 100,
    "data": [
            "cve": "CVE-2024-28816",
            "epss": "0.000430000",
            "percentile": "0.071720000",
            "date": "2024-03-14"

In the API response;

epss is the probability of exploitation activity (a value between 0 and 1) in the next 30 days.

Which begs the question; what is a high probability in the context of all CVEs?

This is where the percentile comes in to add the context.

In your example it is saying the data is in the (roughly) 7th percentile. What that means is 7% of data has a lower EPSS score (probability of being exploited), 93% has a higher score.

In simpler terms; the higher the percentile, the more chance this CVE is currently at risk of being exploited.

The date property is also critical here. EPSS data is updated every day for each published CVE. This means the EPSS score could (and is very likely to) change on a daily basis.

For example, if new information is discovered about a CVE it might increase the probability that it’s exploited. Generally over longer periods of time, the older a vulnerability is, the less likely it is to be exploited (although of course, this is not true in every case).

Vulcan have a much better write up on this topic that I would also recommend reading: EPSS: The ultimate guide

All being said, it would be useful to add EPSS scoring to the data produced by cve2stix.

We previously did this…

However, the problem is, as you note, the date is key.

To be useful, we really need to update this data everyday inside of the object. With over 200k published CVEs this becomes problematic.

I do think this data is still very valuable. I am going to do a little research as to how we can efficiently update objects (or maybe use STIX Notes objects) for EPSS data in arango_cti_processor.

I’ve raised a ticket here;