Dependabot helps users focus on the most important alerts by including EPSS scores that indicate likelihood of exploitation, now generally available
Summary
Dependabot alerts now feature the Exploit Prediction Scoring System (EPSS) from the global Forum of Incident Response and Security Teams (FIRST), helping you better assess vulnerability risks. EPSS scores predict…
Dependabot alerts now feature the Exploit Prediction Scoring System (EPSS) from the global Forum of Incident Response and Security Teams (FIRST), helping you better assess vulnerability risks.
EPSS scores predict the likelihood of a vulnerability being exploited, with scores ranging from 0 to 1 (0 to 100%). Higher scores mean higher risk. We also show the EPSS score percentile, indicating how a vulnerability compares to others.
For example, a 90.534% EPSS score at the 95th percentile means:
- 90.534% chance of exploitation in the next 30 days
- 95% of other vulnerabilities are less likely to be exploited
You can use EPSS scores to help prioritize dependency vulnerabilities based on exploit likelihood. Only ~0.5% of vulnerabilities have an EPSS score above 50%. This makes EPSS a powerful tool for prioritization based on exploitation likelihood, especially when used in conjunction with exploitation severity (CVSS). For more information on using EPSS and/or CVSS for vulnerability prioritization, check out FIRST’s EPSS user guide.
This feature is available on GitHub.com today, and will be available in GitHub Enterprise Server staring with version 3.17.
Learn more in FIRST’s EPSS User Guide.
Join the discussion within GitHub Community.
Read more about viewing, sorting, and filtering Dependabot alerts in GitHub’s Dependabot docs.