Add EPSS as type to severity #144
Comments
|
PR: #145 |
|
Do we have examples of users who are producing EPSS today? |
A step further, I would suggest, like first.org does, to also compute and use the localized percentile, for the subset of vulnerabilities considered. Quoting https://www.first.org/epss/articles/prob_percentile_bins:
This is more complicated, since it requires grabbing the gloabl EPPS/percentile first, and then from the locally relevant EPSS, recompute local percentiles per project / use case. Maybe this does not have its place in the schema since it would be computed by a tool, but in the end this information should have its place in an OSV document. |
|
Yes FIRST is currently producing data: https://www.first.org/epss/data_stats which I would like to include in the machine readable data provided by GSD. We're also looking at EPSS for non CVE data. |
I am very interesting to see how it goes. Unless I misunderstood the basis of EPSS, and/or there has been a fundamental change in the version 3 of the model recently released (with not much details about the changes):
Thus EPSS for non CVE data would be both an exciting and unexpected development! Maybe you have any insights and/or shareable info? |
|
One comment: Chicken and Egg. Why do people use CVE? It exists. Why don't they use X? Apart from GSD/OSV efforts there isn't another source. I suspect once we support EPSS and have it in all the CVE data for example, people may begin to ask a) can you do this for other public data (like GSD) and b) can we do it, e.g. open up the model and.or c) let's make an open model and tweak it and see if we can do this... So a good step forwards would be having EPSS available and machine readable in OSV. |
|
Related, as I work on adding the CVE CVSS data from records I'm converting to OSV for google/osv.dev#783, I've wondered how many native OSV records are including this (I haven't done any research, just mentally flagged that I'd like to) |
I'd like to add EPSS (https://www.first.org/epss/) to the severity field, which is a form of severity (how likely is it going to be exploited).
One wrinkle: EPSS scores include:
epss : the EPSS score representing the probability [0-1] of exploitation in the wild in the next 30 days (following score publication)
percentile : the percentile of the current score, the proportion of all scored vulnerabilities with the same or a lower EPSS score
The EPSS percentile should be included, and I think the percentile should be included, e.g. like an Olympic score if everything is 9.x then 9.9 and 9.8 are vastly different. So the format would be:
type: EPSS (it doesn't have a version currently AFAIK but it might in future, so no version specified currently)
score field: EPSS/0.00043/0.06996
so the EPSS score and the percentile of where that specific result currently lays
This change is simple and I've submitted a PR.
The text was updated successfully, but these errors were encountered: