CVSS & EPSS Scoring
CodeStax uses industry-standard scoring systems to help you prioritize vulnerabilities.
CVSS — Common Vulnerability Scoring System
CVSS v3.1 provides a standardized way to rate the severity of security vulnerabilities on a scale of 0 to 10.
Score Ranges
| Range | Severity | Action |
|---|---|---|
| 9.0 - 10.0 | Critical | Fix immediately |
| 7.0 - 8.9 | High | Fix within current sprint |
| 4.0 - 6.9 | Medium | Schedule for next sprint |
| 0.1 - 3.9 | Low | Fix when convenient |
CVSS Metrics
CodeStax calculates CVSS scores using the full v3.1 vector, including:
- Attack Vector — Network, Adjacent, Local, Physical
- Attack Complexity — Low, High
- Privileges Required — None, Low, High
- User Interaction — None, Required
- Scope — Unchanged, Changed
- Impact — Confidentiality, Integrity, Availability
CVSS Data Sources
Scores are sourced from multiple authoritative vulnerability databases.
EPSS — Exploit Prediction Scoring System
EPSS scores represent the probability that a vulnerability will be exploited in the wild within the next 30 days.
CodeStax fetches real-time EPSS data to give you actionable exploit intelligence.
How to Use EPSS
| EPSS Score | Meaning | Priority |
|---|---|---|
| > 0.5 (50%) | Very likely to be exploited | Critical priority |
| 0.1 - 0.5 | Moderate exploitation probability | High priority |
| 0.01 - 0.1 | Low but notable risk | Normal priority |
| < 0.01 | Unlikely to be exploited soon | Lower priority |
CVSS vs EPSS
| Aspect | CVSS | EPSS |
|---|---|---|
| Measures | Severity of the vulnerability | Likelihood of exploitation |
| Scale | 0-10 | 0-1 (probability) |
| Data source | Vulnerability characteristics | Real-world threat intelligence |
| Updates | Static per vulnerability | Updated daily |
Pro Tip: Use both scores together. A Critical CVSS vulnerability with a low EPSS score may be less urgent than a High CVSS vulnerability with a high EPSS score. CVSS tells you how bad it is; EPSS tells you how likely it is to be exploited.
CISA KEV — Known Exploited Vulnerabilities
The CISA KEV Catalog tracks vulnerabilities that are actively being exploited in the wild. CodeStax automatically flags KEV matches.
- CISA’s catalog of actively exploited vulnerabilities
- KEV vulnerabilities include remediation deadlines set by CISA
- CodeStax refreshes KEV data regularly
- Actively exploited vulnerabilities are always high priority in scoring
Priority Scoring Formula
For SCA findings, CodeStax computes a composite Priority Score (0–100) by fusing six signals:
| Signal | Weight | Notes |
|---|---|---|
| CVSS score | 35% | CVSS v3.1 base score, 0–10 scale |
| EPSS probability | 20% | FIRST.org EPSS — probability of exploitation in next 30 days |
| Reachability | 15% | Is the vulnerable code reachable from a user-input entry point? Computed from code-graph analysis. Unreachable dependencies are deprioritized. |
| KEV status | 15% | +15 bonus if CVE is in CISA Known Exploited Vulnerabilities catalog |
| Fix availability | 10% | Paradoxically, missing fix = higher priority (no ready remediation = needs attention) |
| Vulnerability age | 5% | Older unpatched CVEs score slightly higher |
Formula (see scanner-service/ai/scoring.py):
cvss_contrib = (cvss / 10.0) * 35 # 0–35
epss_contrib = min(epss_prob * 200, 20) # 0–20
fix_contrib = 3 if has_fix else 10 # 3 or 10
reach_contrib = {True: 15, False: 3, None: 7}[is_reachable]
kev_contrib = 15 if is_kev else 0
age_contrib = age_bucket(published_date) # 0–5
priority = min(int(sum_of_all), 100)Reachability
Reachability is computed from a code-graph (entry points → call chains → reachable functions). Vulnerabilities in packages imported but never actually called on a reachable path are deprioritized — letting you focus on what’s exploitable.
Priority Labels
The 0–100 score maps to 4 labels: Critical, High, Medium, Low.
Determinism
Priority is a pure function of (cvss, epss, reachability, kev, fix, age). Same inputs → same output. See Reproducibility.
This multi-factor approach ensures you fix what actually matters — not just what has the highest CVSS score.