OpenCVE Feature Request: Integrate FIRST EPSS for Exploitation Predictability in Vulnerability Management

Managing vulnerabilities by severity alone is a cumbersome, often impossible task for security teams. A new feature request for the open-source vulnerability database OpenCVE highlights a critical gap: the need for exploitation predictability to truly prioritize threats. The proposal calls for integrating the Exploit Prediction Scoring System (EPSS) from the Forum of Incident Response and Security Teams (FIRST).

The EPSS model provides a daily, data-driven estimate of the probability that a specific Common Vulnerability and Exposure (CVE) will see exploitation activity in the next 30 days. By pulling scores directly from the FIRST EPSS API, OpenCVE users could slice and dice vulnerability data by this predictive metric, not just static severity scores. This would allow teams to track fluctuations in a CVE's EPSS score over time, adding a dynamic, intelligence-led layer to triage workflows.

For security operations centers and vulnerability management programs, this integration represents a potential paradigm shift. It moves prioritization from a reactive, severity-based model to a proactive, risk-based one focused on what attackers are most likely to exploit. The requester notes this capability would be "God-like" for the platform, signaling a high demand for tools that bridge the gap between known vulnerabilities and actionable threat intelligence.