EPSS Scores in the GitHub Advisory Database 🚀

[ghostinhershell]

The GitHub Advisory Database now features the Exploit Prediction Scoring System (EPSS) from the global Forum of Incident Response and Security Teams (FIRST), helping you better assess vulnerability risks.

EPSS scores predict the likelihood of a vulnerability being exploited, with scores ranging from 0 to 1 (0 to 100%). Higher scores mean higher risk. We also show the EPSS score percentile, indicating how a vulnerability compares to others.

For example, a 90.534% EPSS score at the 95th percentile means:

• 90.534% chance of exploitation in the next 30 days.
• 95% of other vulnerabilities are less likely to be exploited.

Learn more in the FIRST’s EPSS User Guide.

This feature will be available in GitHub Enterprise Server version 3.16 and later.

[gregsienkiewicz]

Looks like the REST API includes the EPSS in the response to the GET /advisories/{ghsa_id} endpoint. Is there a plan to include these in the Dependabot alerts as well, GET /repos/{owner}/{repo}/dependabot/alerts/{alert_number}?