Cyber Resilience

How we score CVE risk

The Risk Priority number on each CVE page is a single 0–100 score that combines three independent signals: how severe the flaw is (CVSS), how likely it is to be exploited (EPSS), and whether it is already being exploited in the wild (CISA KEV). It is a triage aid, not a substitute for your own environmental context.

The formula

We blend the three signals, then floor the result by the strongest single signal so that no one component going quiet can drag a genuinely dangerous CVE into the basement:

Why “peak” EPSS, not current EPSS

EPSS is a daily prediction that rises and falls. A CVE that was once predicted highly likely to be exploited can see its score decay months later — and FIRST.org’s EPSS v4 rollout in September 2025 dropped initial scores for fresh CVEs by 4–6×. If we used the current score, an identical CVE published after that change would read as lower-risk than its 2024 peers purely because of a scale change. We therefore feed the composite the highest EPSS a CVE has ever reached. The score on display next to it is still the current EPSS; only the risk number uses the peak.

Why a floor

An earlier version weighted EPSS at 60%. Because EPSS is near-zero for the vast majority of CVEs, a severe-but-not-yet-exploited bug could score around 20/100 — the score cratered whenever its heaviest component failed to fire. The floor fixes that: a Critical-severity CVE can never read below 70, a known-exploited CVE is always 100, and a CVE with high predicted exploitation is floored at 80, regardless of what the other two signals say.

Worked examples

ScenarioCVSSpeak EPSSKEVRisk
Critical, not yet exploited9.80.002no70
Known-exploited, moderate severity7.50.05yes100
High predicted exploitation6.50.85no80
Severe, exploited, high EPSS9.80.95yes100
Low severity, no exploit signal4.00.001no35

See also: EPSS (FIRST.org) · CISA KEV.