The CVSS Problem

CVSS (Common Vulnerability Scoring System) measures theoretical severity β€” the worst-case impact if a vulnerability is exploited in an ideal attack scenario. It does not measure the probability of exploitation. A CVSS 9.8 vulnerability in a library that is never called from an internet-facing code path is much less urgent than a CVSS 7.2 vulnerability in a function that processes untrusted input on every API call.

Organisations that prioritise by CVSS alone spend most of their remediation budget on vulnerabilities that will never be exploited while ignoring lower-scored vulnerabilities that are actively being exploited in the wild.

CVSS was designed for comparing vulnerability severity across products, not for prioritising remediation within a specific environment. Using it for the latter is a category error that leads to systematically wrong prioritisation.

EPSS: Exploitation Probability

EPSS (Exploit Prediction Scoring System) is a machine learning model maintained by FIRST that predicts the probability that a given CVE will be exploited in the wild within the next 30 days. It is trained on threat intelligence feeds, exploit databases, and observed attack data.

Key characteristics of EPSS:

  • Scores range from 0 to 1 (probability of exploitation in 30 days)
  • Updated daily as new threat intelligence arrives
  • Median EPSS score for critical-rated CVEs is approximately 0.03 (3%) β€” most are never exploited
  • EPSS β‰₯ 0.4 correlates strongly with active exploitation within 30 days

Using EPSS alongside CVSS dramatically focuses remediation: fix high-CVSS + high-EPSS first, defer high-CVSS + low-EPSS unless you have capacity.

LLM Codebase Context

Even EPSS doesn't account for your specific environment. A vulnerability with EPSS 0.5 in a library you use only in a background batch job with no external inputs is lower risk than the same vulnerability in a library called directly from your public API.

LLMs can analyse the reachability of a vulnerable function within your specific codebase:

  • Is the vulnerable function reachable from an internet-facing entry point?
  • Does the call path pass through authentication and authorisation checks?
  • Is the input to the vulnerable function user-controlled or internal-only?
  • Is there compensating control (WAF, rate limiting, input validation) upstream?

This context-aware reachability score is the third dimension that CVSS and EPSS cannot provide.

The Combined Risk Score

A practical combined risk score formula:

Risk = CVSS_normalised Γ— EPSS Γ— Reachability_factor Γ— Business_impact

  • CVSS_normalised = CVSS score / 10 (0-1 range)
  • EPSS = raw EPSS probability (0-1)
  • Reachability_factor = 1.0 (internet-facing, no auth), 0.7 (authenticated but reachable), 0.3 (internal only), 0.1 (unreachable in current code)
  • Business_impact = multiplier based on the affected service's criticality (2.0 for payment processing, 1.5 for auth, 1.0 for standard services)

Example: CVE in payment processing library. CVSS 9.8 β†’ 0.98. EPSS 0.35. Reachability: 0.7 (authenticated endpoint). Business impact: 2.0. Combined score: 0.98 Γ— 0.35 Γ— 0.7 Γ— 2.0 = 0.48. Compare to: CVE in internal analytics library. CVSS 9.0 β†’ 0.9. EPSS 0.05. Reachability: 0.1. Business impact: 1.0. Combined: 0.9 Γ— 0.05 Γ— 0.1 Γ— 1.0 = 0.0045. The payment library CVE is 100x higher priority despite similar CVSS scores.

Practical Triage Model

Combined ScoreSLARemediation Track
>0.424 hoursEmergency response, CISO notification
0.2 – 0.47 daysPriority sprint item, security team involvement
0.05 – 0.230 daysStandard sprint item, auto-fix candidate
0.01 – 0.0590 daysBacklog, auto-fix if feasible
<0.01Accept riskMonitor, defer indefinitely

"The goal of AI-powered prioritisation is not to tell you what to fear. It is to tell you what to fix today, what to fix this week, and what you can safely ignore β€” with data to defend that decision to your CISO."