Updated model released for the Exploit Prediction Scoring System #EPSS improved performance and 168,325 CVEs scored today. first.org/epss/model

EPSS v2 is the most important work done in the vulnerability world in the past 10 years. Free and open science to replace dogma:

"EPSS v2 is out!" I wrote up a brief history of how the objectives of EPSS have shifted with this release: cyentia.com/epss-version-2…

Anytime I hear superlatives like "worst vuln in recent history" my skepticalometer goes off. Heard that a lot in ref to Log4j and this chart from Fortinet 2H 2021 report seems to back it up. Log4j is like "Aw -Keep pushing Struts; you'll make it to the Big Leagues one day..."

Looking forward to this discussion tomorrow. Have questions about EPSS? the data behind it? Join us tomorrow!

This isn't another post about Log4Shell. Instead it's about what Log4Shell can teach us about the Exploit Prediction Scoring System (EPSS) first.org/epss/log4shell

Best job ever.

Join us at #SiRAcon22 where jayjacobs will discuss a different approach, the Exploit Prediction Scoring System (EPSS), that improves measurement by collecting real-world data, using modern analysis, and mixing with domain expertise. More Info here: societyinforisk.org/SIRAcon22

Sasha put a lot of work into making the EPSS API a reality. Current and historical EPSS scores are now available on demand!

While I appreciate all constructive feedback, I imagine you meant to tag Jay Jacobs.

Tell him his mom says hi.

Looking forward to our Thursday panel on risk based vuln management with Allan is @allanfriedman on bsky & infosec.exchange, jayjacobs, Michael Roytman & Jerry Gamblin.

Your periodic reminder! #BHUSA

And I stand by it.

Doing anything at 11ET today? How about joining me and Wendy Nather for an encore presentation of our 2022 RSA Conference talk for tips on measurably improving infosec programs. rsaconference.com/library/top-ra…

We've been working hard on EPSS and the next version is going live in one week on March 7th, expect the scores to shift around a bit. Details on our process: arxiv.org/abs/2302.14172 and performance is vastly improved as we continue to expand data partners!

I deny any responsibility. The only wave I’ve brought is a wave of confusion when people mistake me for some politician.