EPSS Scores in the GitHub Advisory Database 🚀

[ghostinhershell]

The GitHub Advisory Database now features the Exploit Prediction Scoring System (EPSS) from the global Forum of Incident Response and Security Teams (FIRST), helping you better assess vulnerability risks.

EPSS scores predict the likelihood of a vulnerability being exploited, with scores ranging from 0 to 1 (0 to 100%). Higher scores mean higher risk. We also show the EPSS score percentile, indicating how a vulnerability compares to others.

For example, a 90.534% EPSS score at the 95th percentile means:

• 90.534% chance of exploitation in the next 30 days.
• 95% of other vulnerabilities are less likely to be exploited.

Learn more in the FIRST’s EPSS User Guide.

This feature will be available in GitHub Enterprise Server version 3.16 and later.

[gregsienkiewicz]

Looks like the REST API includes the EPSS in the response to the GET /advisories/{ghsa_id} endpoint. Is there a plan to include these in the Dependabot alerts as well, GET /repos/{owner}/{repo}/dependabot/alerts/{alert_number}?

[kimsyversen]

A suggestion for improvement:

When opening Dependabot alerts I can sort vulnerable dependencies by CVSS which alone isn't a good metric. It is horrible if you have 200+ vulnerable dependencies and not everyone can just go ahead and patch everything.

It seems the data is available so instead of just seeing critical/high according to CVSS I would like to enrich the alerts-view with EPSS and patch available so I can prioritize better.