The formula
We blend the three signals, then floor the result by the strongest single signal so that no one component going quiet can drag a genuinely dangerous CVE into the basement:
- Blend = 40% CVSS + 35% peak EPSS + 25% KEV (each scaled to 0–100).
- Floor = the highest of: 100 if it is in KEV; a severity floor from CVSS (Critical ≥ 70, High ≥ 55, Medium ≥ 35, Low ≥ 15); and an exploitation floor from peak EPSS (≥ 0.5 → 80, ≥ 0.1 → 60, ≥ 0.01 → 35).
- Risk Priority = the larger of the blend and the floor, capped at 100.
Why “peak” EPSS, not current EPSS
EPSS is a daily prediction that rises and falls. A CVE that was once predicted highly likely to be exploited can see its score decay months later — and FIRST.org’s EPSS v4 rollout in September 2025 dropped initial scores for fresh CVEs by 4–6×. If we used the current score, an identical CVE published after that change would read as lower-risk than its 2024 peers purely because of a scale change. We therefore feed the composite the highest EPSS a CVE has ever reached. The score on display next to it is still the current EPSS; only the risk number uses the peak.
Why a floor
An earlier version weighted EPSS at 60%. Because EPSS is near-zero for the vast majority of CVEs, a severe-but-not-yet-exploited bug could score around 20/100 — the score cratered whenever its heaviest component failed to fire. The floor fixes that: a Critical-severity CVE can never read below 70, a known-exploited CVE is always 100, and a CVE with high predicted exploitation is floored at 80, regardless of what the other two signals say.
Worked examples
| Scenario | CVSS | peak EPSS | KEV | Risk |
|---|---|---|---|---|
| Critical, not yet exploited | 9.8 | 0.002 | no | 70 |
| Known-exploited, moderate severity | 7.5 | 0.05 | yes | 100 |
| High predicted exploitation | 6.5 | 0.85 | no | 80 |
| Severe, exploited, high EPSS | 9.8 | 0.95 | yes | 100 |
| Low severity, no exploit signal | 4.0 | 0.001 | no | 35 |
See also: EPSS (FIRST.org) · CISA KEV.