Evaluating the Evolution of the Exploit Prediction Scoring System
Category: Research Poster
Author(s): Krithika Turaka
Presenter(s): Krithika Turaka
Mentors(s): Viktoria Koscinski
The Exploit Prediction Scoring System (EPSS) is commonly used by security teams to prioritize the patching (fixing) of vulnerabilities by estimating how likely it is that a vulnerability will be exploited in the wild. Earlier EPSS versions underpredicted approximately 80% of vulnerabilities in the Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities (KEV) catalog. Since then, newer releases introduced improvements, but as organizations depend more on EPSS scores to make patching decisions, it is important to assess how well newer versions actually improve performance. This study conducts a comparative analysis of EPSS versions using the KEV catalog as the basis for observed exploitation. We evaluate scores from multiple EPSS versions to compare top scores, scoring trends, score distributions, average predicted probabilities, and the percentage of known exploited vulnerabilities that surpassed significant scoring thresholds. By examining changes across versions, this study assesses whether the alleged model improvements result in tangible benefits in identifying high-risk vulnerabilities and reducing overlooked exploited cases. The results aim to offer an evidence-based evaluation of EPSS reliability and to guide practitioners on how confidently they should use EPSS scores to inform their real-world vulnerability prioritization processes.