Tag

#epss

2 posts tagged #epss.

Analysis · Jun 3, 2026 · Colten Anderson

Everything is critical, so nothing is critical

A third of last year's CVEs were rated High or Critical, but only a few percent ever get exploited. The severity score was never a risk score, and the queue that treats it like one is the reason confirmed-exploited bugs sit unpatched for 43 days.
Analysis · May 14, 2026 · Colten Anderson

Does this CVE actually apply to you? Three filters before you patch

Single-score triage fails in both directions: 10.0s that don't apply, 4.3s that get exploited for 13 days. Three filters reduce the queue.