In cybersecurity, most security shops push their teams to remediate all vulnerabilities identified by scanning tools immediately. This has proven to be an exhaustive task because there are always new vulnerabilities emerging and most importantly a good number of them have not be exploited in the real world aka 'wild.'

A few security best practices have been adopted to combat this strenuous method of dealing with vulnerabilities such as remediating based on priority. This means fix vulnerabilities classified as critical and high first  then move onto the mediums and lows. The prioritization process involves as few variables such as; what percentage of your organization assets are susceptible to the vulnerability? If compromised how will it affect your organizations' operations? What will be the cost of repair if compromised? Will there be legal implication and or negative brand repercussions?

To assist in determining which vulnerabilities to prioritize, First.org - a global peer collaboration team focused on providing solutions to Incident Response Teams created, Exploit Prediction Scoring System (EPSS). EPSS scores vulnerabilities based on probability of them being exploited in the wild or if they have been seen in the wild. This assists CSIRT and PSIRT focus their limited resources on remediating exploits that are actively being compromised rather than fixing vulnerabilities that have a high score in a security scanning tool which have not been exploited in over a decade.

To learn more visit First.org - The EPSS Model