The number of disclosed vulnerabilities has been steadily increasing over the years. At the same time, organizations face significant challenges patching their systems, leading to a need to prioritize vulnerability remediation in order to reduce the risk of attacks. Unfortunately, existing vulnerability scoring systems are either vendor-specific, proprietary, or are only commercially available. Moreover, these and other prioritization strategies based on vulnerability severity are poor predictors of actual vulnerability exploitation because they do not incorporate new information that might impact the likelihood of exploitation. In this paper we present the efforts behind building a Special Interest Group (SIG) that seeks to develop a completely data-driven exploit scoring system that produces scores for all known vulnerabilities, that is freely available, and which adapts to new information. The Exploit Prediction Scoring System (EPSS) SIG consists of more than 170 experts from around the world and across all industries, providing crowd-sourced expertise and feedback. Based on these collective insights, we describe the design decisions and trade-offs that lead to the development of the next version of EPSS. This new machine learning model provides an 82\% performance improvement over past models in distinguishing vulnerabilities that are exploited in the wild and thus may be prioritized for remediation.

翻译：近年来，公开披露的漏洞数量持续增长。与此同时，组织在系统修补方面面临重大挑战，因此需要优先修复漏洞以降低攻击风险。遗憾的是，现有的漏洞评分系统或为厂商特定、或为专有系统、或仅能通过商业途径获取。此外，这些基于漏洞严重性的优先级排序策略，由于未纳入可能影响利用概率的新信息，难以有效预测漏洞的实际被利用情况。本文介绍了构建一个特别兴趣小组（SIG）的工作成果，该小组旨在开发一套完全基于数据驱动的漏洞利用评分系统：该系统能为所有已知漏洞生成评分，可免费获取，并能根据新信息动态调整。漏洞利用预测评分系统（EPSS）的SIG由来自全球各行业的170多位专家组成，通过众包方式汇集专业知识和反馈。基于这些集体洞察，我们描述了推动下一版本EPSS开发的设计决策与权衡。这一新机器学习模型在区分被真实环境中利用的漏洞方面，性能较以往模型提升了82%，从而使得这些漏洞可能被优先修复。