FAQ

Yes, a CVSS score can evolve over time, especially if new information emerges. For example, a public exploit, a patch bypass, or evidence of active exploitation can lead analysts to revise the temporal score or even the base vector if an initial assessment error is detected.

In addition, automated tools like those from the NVD regularly update CVSS scores based on field data and publications. It is therefore recommended that companies periodically revalidate their analyses, especially for critical vulnerabilities.

No, EPSS does not replace CVSS: the two systems are complementary. CVSS provides a structural measure of severity, useful for understanding the potential impact of a vulnerability. EPSS, on the other hand, provides a behavioral and predictive measure, focused on the probability of actual exploitation.

Together, these two scores allow for a more refined risk assessment, both theoretically and operationally. Many companies adopt a hybrid approach, for example by only addressing vulnerabilities with both a CVSS ≥ 7 and an EPSS ≥ 0.5, or by using risk matrices enriched with these two indicators.

EPSS complements CVSS by adding a temporal and behavioral dimension to vulnerability assessment. CVSS measures the severity of a flaw based on its intrinsic properties (impact, complexity, accessibility), but says nothing about the actual probability of it being exploited. EPSS fills this gap by analyzing real-world data, such as exploitation trends observed in honeypots, vulnerability search engines, or threat feeds.

This complementarity is valuable for risk management: a flaw may be critical according to CVSS, but not exploited (low EPSS score), or conversely appear benign in theory, but be heavily used in automated attacks. Using both scores together allows for establishing more relevant priorities that align with real-world conditions.

Yes, there is an official CVSS score calculator provided by the Forum of Incident Response and Security Teams (FIRST), which maintains the CVSS standard. It is accessible online at: https://www.first.org/cvss/calculator.

This calculator allows you to compose a vector by selecting the relevant metrics, and then automatically calculate the scores (base, temporal, environmental).

EPSS stands for Exploit Prediction Scoring System. It is a probabilistic model that assigns each vulnerability (typically identified by a CVE identifier) a probability of being exploited within 30 days of its observation.

The goal of EPSS is to complement other scoring systems (like CVSS) by adding a dynamic and contextual layer based on real-world exploitation data observed in the wild. This allows organizations to better prioritize their remediation efforts based on the actual risk of exploitation.

The CVSS (Common Vulnerability Scoring System) score measures the severity of a vulnerability by assigning it a rating from 0 to 10, where 10 represents an extremely critical flaw. It is designed to provide a standardized and objective assessment of vulnerabilities, so that organizations can compare them with each other and prioritize their remediation.

This score takes into account several aspects: the ease of exploitation, the potential effects on confidentiality, integrity and availability, as well as the conditions necessary for the attack. In summary, the CVSS helps to quantify the inherent level of danger of a security flaw.

CVSS is broken down into three sub-scores:

• Base Score: assesses the intrinsic severity of the vulnerability, independent of any context. It is generally public.
• Temporal Score: adjusts the score based on factors such as the availability of an exploit or patch. It reflects the maturity of the threat.
• Environmental Score: allows organizations to adapt the assessment to their own context (asset importance, exposure, business impact). It is customized to each company.

By combining these three layers, the CVSS model becomes a more flexible tool that allows for refining treatment priorities according to the reality on the ground.

The CVSS scale ranges from 0.0 to 10.0, and each value range is associated with a severity level:

• 0.0: None
• 0.1 to 3.9: Low
• 4.0 to 6.9: Medium
• 7.0 to 8.9: High
• 9.0 to 10.0: Critical

This classification allows organizations to filter vulnerabilities by severity, but it does not take into account the specific context of each company. That's why other criteria, such as active exploitation or the assets involved, should complement this assessment.

The CVSS score is generally defined by the organization that publishes the vulnerability, often a CNA (CVE Numbering Authority) or the software vendor concerned. In addition, entities such as the NVD (National Vulnerability Database) sometimes recalculate or adjust scores to ensure consistency between published CVEs.

Automated tools also allow independent researchers, SOC analysts, or security vendors to recalculate a score based on the published CVSS vector. This means that the same CVE can have several slightly different scores depending on the context and the evaluator, which encourages cross-referencing sources for critical decisions.

The CVSS score measures the intrinsic severity of a vulnerability, but not its actual exploitation, nor its relevance in a given environment. For example, a flaw may have a high score but be difficult to exploit in your infrastructure, or conversely, an average flaw may target a critical, unsegmented system.

For a more accurate risk assessment, it is important to integrate complementary indicators, such as:

• The EPSS score (probability of actual exploitation)
• Membership in the KEV list (confirmed exploitation)
• The business or technical context of the affected environment

Thus, the CVSS should be seen as an indicator of severity, not a complete measure of risk.