Skip to main content

Understanding SCA exploitability information

Veracode SCA provides the following exploitability information that you may combine with vulnerability severity ratings to prioritize what to fix first:

  • Exploit Prediction Scoring System (EPSS) attempts to calculate the probability that a hacker will exploit a vulnerability.
  • Exploit Observed determines whether a hacker has already exploited a vulnerability or the vulnerable code is public.

EPSS, the organization that created the Common Vulnerability Scoring System (CVSS), developed the Exploit Prediction Scoring System (EPSS). EPSS has two components: probability and percentile.

  • EPSS Probability: the EPSS model produces an epss_score between 0 and 1 (0 and 100%) that estimates the probability that a software vulnerability will be exploited in the next 30 days. The higher the score, the greater the probability that a vulnerability will be exploited.
  • EPSS Percentile: the EPSS model also provides the epss_percentile of the current EPSS score, which shows the percentage of all vulnerabilities with the same or lower EPSS scores.

EPSS data is updated daily. Only published vulnerabilities with an assigned CVE number have an EPSS score. For example, SRCCLR-SID-1538 has no EPSS score because it does not have a CVE number, and CVE-2014-1862 has no EPSS score because its status is reserved, not published.

Exploit Observed

When an exploit is observed in the wild or when proof of concept (POC) code becomes publicly available, the exploit_observed field is true and the exploit_source field displays the source of this information. Veracode’s sources are the Exploit-DB from OffSec and the Known Exploited Vulnerabilities (KEV) catalog from the Cybersecurity & Infrastructure Security Agency (CISA).