Less panic patching, more precision

In this newsletter, Thor breaks down why you should stop relying solely on CVSS and start using EPSS and GCVE to focus your patching efforts on the threats that actually matter.

Welcome to this week's edition of the Threat Source newsletter.   Recently, Martin closed his introduction with a  warning : Ready or not, the time of much patching is coming.  I've been chewing on that one for a while because I'm rethinking my own enrichment pipelines along these lines, and the questions Martin raised are the ones I keep running into — with one or two ideas on what practitioners can actually do about it.   Honestly speaking, most of us are still prioritising the wrong way.

CVSS has been the default for over a decade — but it only answers one question: How bad could this be in theory?  It's a severity score, not a risk score. A CVSS 9. 8 on something nobody is exploiting (and nobody ever will) is a very different problem from a CVSS 7. 2 that's being weaponised in the wild this morning. If your patch queue is sorted purely by CVSS, you'respending finite operations capacity on hypotheticals.   This is where  EPSS  (Exploit Prediction Scoring System) earns its place next to CVSS.

EPSS is a probability — between 0 and 1 — that a given CVE will be exploited in the next 30 days, based on real-world signals. The two answer different questions: Feature   CVSS   EPSS   Focus   Severity (impact)   Risk (likelihood of exploitation)   Nature   Static (usually)   Dynamic (updated daily)   Output   0. 0 to 10. 0 score   0. 0 to 1. 0 probability   Primary use   Assesses technical impact   Prioritizes remediation   CVSS tells you how bad it would be if exploited.  EPSS tells you how likely it is to actually happen to you soon.

 Used together, a high CVSS and a high EPSS is your "drop everything" pile, while a high CVSS and a very lowEPSS can probably wait behind a medium with an EPSS of 0. 7. That single change in triage logic can meaningfully shrink the patch backlog without weakening your posture.   The second ingredient is knowing what is actually being exploited — and here, many teams default to CISA's KEV catalog.  KEV is excellent, and I've quoted KEV numbers in this newsletter more times than I can count.

CISA contributes as an Authorized Data Publisher (ADP) in the CVE Program,  enriching records  alongside the original CNA's data. That model works well, but it's also why KEV is structurally centralized, conservative in what it admits, and naturally scoped to what U. S. federal visibility surfaces. For a global practitioner — and writing this from Germany, I notice — "Is this being exploited? " deserves a broader lens.