FAQ

Exploitable Vulnerabilities

3min

SOOS integrates with first.org and CISA to pull in exploitable vulnerability data.

Document image


First.org

The Exploit Prediction Scoring System (EPSS) is a measure of the probability that a vulnerability will be exploited. SOOS uses EPSS to highlight exploitable CVEs in your SCA, SBOM, and Container scans by displaying an indicator badge, as seen above. Identifying EPSS CVEs allows teams to more efficiently prioritize mitigation efforts.

  • EPSS Score represents the likelihood of the vulnerability being exploited within the next 30 days.
  • EPSS Percentile represents the percentage of all ranked CVEs that are scored lower than the given CVE.

CISA KEV

The CISA Known Exploitability Vulnerabilities Catalog (KEV) is a list of vulnerabilities that are know to CISA to be exploitable. SOOS uses the presence of a KEV entry to highlight exploitable CVEs in your SCA, SBOM, and Container scans by displaying an indicator badge, as seen above. Identifying CVEs in the KEV catalog allows teams to more efficiently prioritize mitigation efforts.

Exploitable Vulnerabilities in SOOS Research Pages

The SOOS Vulnerability Research pages will indicate any exploitability details that are known.

Document image




Updated 25 Feb 2025
Doc contributor
Did this page help you?
PREVIOUS
Reporting Vulnerabilities That SOOS did not Identify
NEXT
What Does "Disputed" Mean in the Vulnerability Details?
Docs powered by Archbee