RiskBasedPrioritization
diff --git a/‎assets/images/cvss_exploitation_parcat.png‎
-34.6 KB b/‎assets/images/cvss_exploitation_parcat.png‎
-34.6 KB
diff --git a/‎organizations/acme/Applied/index.html‎
Lines changed: 1 addition & 1 deletion b/‎organizations/acme/Applied/index.html‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎print_page/index.html‎
Lines changed: 14 additions & 5 deletions b/‎print_page/index.html‎
Lines changed: 14 additions & 5 deletions
diff --git a/‎risk/Rbp_schemes/index.html‎
Lines changed: 13 additions & 4 deletions b/‎risk/Rbp_schemes/index.html‎
Lines changed: 13 additions & 4 deletions
diff --git a/‎search/search_index.json‎
Lines changed: 1 addition & 1 deletion b/‎search/search_index.json‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎sitemap.xml.gz‎
0 Bytes b/‎sitemap.xml.gz‎
0 Bytes
diff --git a/‎vendors/Qualys/index.html‎
Lines changed: 1 addition & 1 deletion b/‎vendors/Qualys/index.html‎
Lines changed: 1 addition & 1 deletion
@@ -1523,7 +1523,7 @@ <h2 id="regulated-environment">Regulated Environment<a class="headerlink" href="
 </ul>
 <p>A CVEs "scored 4.0 or higher by the <abbr title="Common Vulnerability Scoring System Standard. A framework for scoring the severity of vulnerabilities based on factors such as exploitability and impact.">CVSS</abbr>" is pretty much all CVEs
 (&gt;96%) per "<abbr title="Common Vulnerability Scoring System Standard. A framework for scoring the severity of vulnerabilities based on factors such as exploitability and impact.">CVSS</abbr> Severity Rating Scale"</p>
-<p>The organization uses <abbr title="Common Vulnerability Scoring System Standard. A framework for scoring the severity of vulnerabilities based on factors such as exploitability and impact.">CVSS</abbr> score and "Likelihood of Exploit" to
+<p>The organization uses <abbr title="Common Vulnerability Scoring System Standard. A framework for scoring the severity of vulnerabilities based on factors such as exploitability and impact.">CVSS</abbr> score and "Likelihood of Exploitation" to
 prioritize CVEs for the <abbr title="Common Vulnerability Scoring System Standard. A framework for scoring the severity of vulnerabilities based on factors such as exploitability and impact.">CVSS</abbr> threshold required by regulation.
 Specifically it uses:</p>
 <ol>
 
@@ -4983,7 +4983,7 @@ <h3 id="vendors-qualys-comparison-of-cves-with-qualys-qvs-and-epss-scores"><stro
 <p class="admonition-title">Takeaways</p>
 <ol>
 <li>"The focus should be given to CVEs known to be exploited in the wild (<abbr title="Cybersecurity &amp; Infrastructure Security Agency">CISA</abbr> <abbr title="Known Exploited Vulnerability">KEV</abbr>), those with a high likelihood of exploitation (indicated by a high <abbr title="Exploit Prediction Scoring System">EPSS</abbr> score), and those with weaponized exploit code available"</li>
-<li>The Qualys scoring / priority for "Likelihood of Exploit" factors is in this order<ol>
+<li>The Qualys scoring / priority for "Likelihood of Exploitation" factors is in this order<ol>
 <li>known to be exploited in the wild </li>
 <li>weaponized exploits </li>
 <li>PoC exploits.</li>
@@ -5452,6 +5452,11 @@ <h3 id="risk-rbp_schemes-cvss-base-score-ratings-with-exploitation-focus"><abbr
 <p>A simple illustrative scheme that combines Base Score Ratings with Exploitation status is defined here.</p>
 <ul>
 <li><a href="#vendors-qualys-in-depth-look-into-data-driven-science-behind-qualys-trurisk">Qualys TruRisk</a> is an example of this type of scheme.</li>
+<li>
+<div class="admonition quote">
+<p class="admonition-title">Quote</p>
+"The focus should be given to CVEs known to be exploited in the wild (<abbr title="Cybersecurity &amp; Infrastructure Security Agency">CISA</abbr> <abbr title="Known Exploited Vulnerability">KEV</abbr>), those with a high likelihood of exploitation (indicated by a high <abbr title="Exploit Prediction Scoring System">EPSS</abbr> score), and those with weaponized exploit code available"</div>
+</li>
 </ul>
 <table>
 <thead>
@@ -5465,22 +5470,22 @@ <h3 id="risk-rbp_schemes-cvss-base-score-ratings-with-exploitation-focus"><abbr
 <tr>
 <td>10</td>
 <td>critical</td>
-<td>kev</td>
+<td>kev or <abbr title="Exploit Prediction Scoring System">EPSS</abbr> High</td>
 </tr>
 <tr>
 <td>9</td>
 <td>critical</td>
-<td>weaponized</td>
+<td>weaponized or <abbr title="Exploit Prediction Scoring System">EPSS</abbr> High</td>
 </tr>
 <tr>
 <td>8</td>
 <td>high</td>
-<td>kev</td>
+<td>kev or <abbr title="Exploit Prediction Scoring System">EPSS</abbr> High</td>
 </tr>
 <tr>
 <td>7</td>
 <td>high</td>
-<td>weaponized</td>
+<td>weaponized or <abbr title="Exploit Prediction Scoring System">EPSS</abbr> High</td>
 </tr>
 <tr>
 <td>6</td>
@@ -5535,6 +5540,10 @@ <h3 id="risk-rbp_schemes-cvss-base-score-ratings-with-exploitation-focus"><abbr
 <td>poc (Proof Of Concept)</td>
 <td>poc_github or exploitdb</td>
 </tr>
+<tr>
+<td><abbr title="Exploit Prediction Scoring System">EPSS</abbr> High</td>
+<td><abbr title="Exploit Prediction Scoring System">EPSS</abbr> Score &gt;= 10%</td>
+</tr>
 </tbody>
 </table>
 <figure>
 
@@ -1605,6 +1605,11 @@ <h3 id="cvss-base-score-ratings-with-exploitation-focus"><abbr title="Common Vul
 <p>A simple illustrative scheme that combines Base Score Ratings with Exploitation status is defined here.</p>
 <ul>
 <li><a href="../../vendors/Qualys/#in-depth-look-into-data-driven-science-behind-qualys-trurisk">Qualys TruRisk</a> is an example of this type of scheme.</li>
+<li>
+<div class="admonition quote">
+<p class="admonition-title">Quote</p>
+"The focus should be given to CVEs known to be exploited in the wild (<abbr title="Cybersecurity &amp; Infrastructure Security Agency">CISA</abbr> <abbr title="Known Exploited Vulnerability">KEV</abbr>), those with a high likelihood of exploitation (indicated by a high <abbr title="Exploit Prediction Scoring System">EPSS</abbr> score), and those with weaponized exploit code available"</div>
+</li>
 </ul>
 <table>
 <thead>
@@ -1618,22 +1623,22 @@ <h3 id="cvss-base-score-ratings-with-exploitation-focus"><abbr title="Common Vul
 <tr>
 <td>10</td>
 <td>critical</td>
-<td>kev</td>
+<td>kev or <abbr title="Exploit Prediction Scoring System">EPSS</abbr> High</td>
 </tr>
 <tr>
 <td>9</td>
 <td>critical</td>
-<td>weaponized</td>
+<td>weaponized or <abbr title="Exploit Prediction Scoring System">EPSS</abbr> High</td>
 </tr>
 <tr>
 <td>8</td>
 <td>high</td>
-<td>kev</td>
+<td>kev or <abbr title="Exploit Prediction Scoring System">EPSS</abbr> High</td>
 </tr>
 <tr>
 <td>7</td>
 <td>high</td>
-<td>weaponized</td>
+<td>weaponized or <abbr title="Exploit Prediction Scoring System">EPSS</abbr> High</td>
 </tr>
 <tr>
 <td>6</td>
@@ -1688,6 +1693,10 @@ <h3 id="cvss-base-score-ratings-with-exploitation-focus"><abbr title="Common Vul
 <td>poc (Proof Of Concept)</td>
 <td>poc_github or exploitdb</td>
 </tr>
+<tr>
+<td><abbr title="Exploit Prediction Scoring System">EPSS</abbr> High</td>
+<td><abbr title="Exploit Prediction Scoring System">EPSS</abbr> Score &gt;= 10%</td>
+</tr>
 </tbody>
 </table>
 <figure>
 
@@ -1704,7 +1704,7 @@ <h3 id="comparison-of-cves-with-qualys-qvs-and-epss-scores"><strong>Comparison o
 <p class="admonition-title">Takeaways</p>
 <ol>
 <li>"The focus should be given to CVEs known to be exploited in the wild (<abbr title="Cybersecurity &amp; Infrastructure Security Agency">CISA</abbr> <abbr title="Known Exploited Vulnerability">KEV</abbr>), those with a high likelihood of exploitation (indicated by a high <abbr title="Exploit Prediction Scoring System">EPSS</abbr> score), and those with weaponized exploit code available"</li>
-<li>The Qualys scoring / priority for "Likelihood of Exploit" factors is in this order<ol>
+<li>The Qualys scoring / priority for "Likelihood of Exploitation" factors is in this order<ol>
 <li>known to be exploited in the wild </li>
 <li>weaponized exploits </li>
 <li>PoC exploits.</li>