State of EPSS and What to Expect from Version 4
CVE/FIRST VulnCon 2025 · Main Stage
In this comprehensive talk at VulnCon, Jay Jacob, a pivotal figure in the development of the Exploit Prediction Scoring System (**EPSS**) and founder of Empirical Security, delved into the current state of EPSS and offered a detailed look at its latest iteration, **EPSS Version 4 (V4)**. The presentation highlighted the critical need for a data-driven approach to vulnerability prioritization, moving beyond traditional, often subjective, methods. Jacob emphasized that EPSS is built on a fundamental principle: objective feedback from observed exploitation activity, rather than speculative risk assessments or static severity scores.
AI review
Jay Jacob delivers a substantive, technically grounded walkthrough of EPSS V4 at exactly the right venue. This is the creator of the system explaining design decisions, failure modes, and architectural changes with the specificity you only get from someone who built the thing and is willing to say where it went wrong. The decay/overfitting candor about V3 alone is worth the runtime. Not a 5 because the talk is largely an update to existing work rather than a paradigm shift, and the defensive implications section drifts toward the kind of 'integrate into your workflows' advice that fills…