← Back to Blogtechnical

EPSS Scoring Explained: Prioritising Vulnerabilities for CRA Compliance

EPSS predicts the probability a CVE will be exploited in the next 30 days. Used alongside CVSS, it is a practical tool for prioritising CRA patch management obligations.

CRAReady Team·

The Vulnerability Prioritisation Problem

A modern product SBOM might contain hundreds of third-party components. Each week, new CVEs are published affecting some of those components. Not all CVEs carry equal risk -- but CVSS scores alone are a blunt instrument. A CVSS 9.8 vulnerability in a network-isolated embedded component may pose far less real-world risk than a CVSS 6.5 vulnerability in an internet-facing authentication library with a public exploit available.

The CRA requires manufacturers to address vulnerabilities without undue delay but does not define fixed timelines for every severity level. EPSS is one of the most useful tools for making principled prioritisation decisions.

What Is EPSS?

EPSS -- the Exploit Prediction Scoring System -- is an open, data-driven model developed by FIRST.org that estimates the probability that a given CVE will be exploited in the next 30 days. It is updated daily and freely available via the FIRST API. Scores range from 0.0 to 1.0. A score of 0.85 means an 85% predicted probability of exploitation within 30 days. Scores below 0.05 indicate low near-term exploitation likelihood.

EPSS measures how likely exploitation is to occur. CVSS measures how severe the impact would be if exploitation occurs. They are complementary.

Using CVSS and EPSS Together

High CVSS + High EPSS: Critical priority -- severe impact, likely to be exploited imminently. Patch as fast as possible. High CVSS + Low EPSS: High priority -- severe impact but currently unlikely to be exploited. Patch within your defined SLA. Low CVSS + High EPSS: Medium priority -- exploitation is likely but impact is limited. Monitor closely. Low CVSS + Low EPSS: Low priority -- address in scheduled maintenance windows.

EPSS and the Without Undue Delay Standard

The CRAs without undue delay standard will be interpreted in light of how exploitable a vulnerability is. A manufacturer who can demonstrate that their patch prioritisation was informed by both CVSS scores and EPSS exploitation probability data is in a much stronger position in any enforcement investigation.

EPSS is also relevant to Article 14. A sudden jump in the EPSS score of a CVE affecting your SBOM often precedes confirmed in-the-wild exploitation and is an early warning signal worth monitoring.

Integrating EPSS into Your Workflow

  1. Automate EPSS lookups against all CVEs identified by your SBOM vulnerability scanner. The FIRST EPSS API is free and straightforward to query by CVE ID. 2. Set a high-priority threshold: any CVE with EPSS above 0.5 and CVSS of 7.0 or above should trigger immediate escalation. 3. Monitor for score spikes: subscribe to daily EPSS updates for CVEs in your open vulnerability backlog. 4. Document your rationale: in your patch management records, note the CVSS score, EPSS score, and remediation decision for each CVE.

Ready to assess your CRA compliance obligations?

Try the Free Applicability Checker