Recipe 10: CVSS with EPSS context
EPM also supports the Exploit Prediction Scoring System (EPSS), a data-driven metric designed to estimate the probability of a software vulnerability being exploited in the wild. Using CVSS alongside EPSS or even OSV (Open Source Vulnerabilities), we can make better informed decisions about whether to investigate, quarantine or promote a package based on multiple sources of risk data.
package cloudsmith
default match := false
max_epss := 0.0001
target_repository := "acme-corporation"
ignored_cves := {"CVE-2023-45853"}
match if count(reason) > 0
reason contains msg if {
input.v0["repository"]["name"] == target_repository
some vuln in input.v0["vulnerabilities"]
vuln["patched_versions"]
vuln["severity"] == "HIGH"
not ignored_cve(vuln)
# EPSS score exceeds threshold
vuln["epss_score"]
vuln["epss_score"] > max_epss
msg := sprintf(
"High severity vulnerability %s has EPSS score %.6f (threshold %.6f)",
[vuln["VulnerabilityID"], vuln["epss_score"], max_epss]
)
}
ignored_cve(vuln) if {
vuln["VulnerabilityID"] in ignored_cves
}View policy on GitHub
Trigger Condition
max_epss := 0.0001
val["score"] > max_epssWhen and How It's Triggered
What's interesting about this specific Spotipy package example, is that it was picked up by EPSS but hasn't yet received a “vendor severity” scoring from NIST, emphasizing the need for EPSS as well as traditional vendor scoring sources within our EPM policies.
pip download spotipy==2.25.0
cloudsmith push python acme-corporation/acme-repo-one spotipy-2.25.0-py3-none-any.whl \-k "API_KEY"Business value from this policy
EPSS is a metric that estimates the probability of a given vulnerability being exploited in the wild within the next 30 days. Unlike CVSS (Common Vulnerability Scoring System), which measures the inherent technical severity of a vulnerability, EPSS is focused on likelihood, using real-world data, threat intelligence feeds, and statistical models. CVSS might tell you that a vulnerability is “critical” because of the potential impact, but EPSS can indicate whether attackers are actually likely to exploit it soon. This makes EPSS a valuable complement to CVSS for prioritization because a high-severity vulnerability that is very unlikely to be exploited may not require immediate attention, while a lower-severity one with a high EPSS score might demand urgent mitigation.
This policy example blends CVSS and EPSS to improve vulnerability triage in Cloudsmith EPM. It first filters for vulnerabilities specifically in the acme-corporation repository that are classified as “HIGH” severity under CVSS, ensuring that only technically significant issues are considered. It then applies an EPSS-based threshold (max_epss := 0.0001), flagging only those high-severity vulnerabilities whose exploitation probability exceeds this limit. By excluding vulnerabilities in the ignored_cves list, it allows for exceptions where risk is known to be acceptable or mitigated.
This dual-filter approach combines the impact assessment of CVSS with the real-world likelihood from EPSS, helping teams focus on vulnerabilities that are both severe and realistically exploitable.