EPSS vs CVSS: scoring how likely, not just how bad
CVSS tells you how damaging a vulnerability could be. EPSS tells you how likely it is to actually be exploited. Triaging on one without the other is how teams drown.
Most vulnerability programs still triage on a single number: the CVSS base score. It is a reasonable measure of severity — how much damage an exploit could do — but it says nothing about whether anyone will ever bother. A 9.8 in an obscure library with no public exploit and no attacker interest is, in practice, less urgent than a 7.5 that ransomware crews are spraying across the internet this week.
What each score actually measures
- CVSS — an expert-assigned, mostly static measure of impact and exploitability characteristics. Answers “how bad if exploited?”
- EPSS — the FIRST community’s daily model output: the probability a CVE will be exploited in the next 30 days, in [0, 1]. Answers “how likely?”
They are orthogonal. The dangerous quadrant is high-impact and high-probability; the noise is high-impact, low-probability. EPSS moves over time as exploit code, scanner signatures, and chatter appear — which is exactly the signal a static CVSS base score cannot give you.
A simple triage rule
Start from confirmed exploitation (CISA KEV), then sort the rest by EPSS, and use CVSS to break ties on blast radius. On PublicCVE every CVE shows both axes — a severity pill and an EPSS meter — so you can read “bad and likely” at a glance instead of inferring it from one half of the picture.