Skip to content
All posts

Prioritising dependency CVEs with KEV and EPSS

1 min readcve · kev · epss · dependencies · prioritisation

Run a dependency scan on any real codebase and you get a wall of CVEs. Forty highs, a dozen criticals, and a creeping sense that the number is the problem. It is not. The problem is that CVSS alone cannot tell you what to fix first.

Three signals, not one

CVSS describes potential impact in a vacuum. It does not know whether anyone is exploiting the bug. Two extra signals fix that:

How NANOTESTING uses them

Dependency findings from the repository scan are enriched with KEV membership and EPSS probability. A medium-CVSS CVE that is on KEV with a high EPSS is more urgent than a critical that nobody has ever exploited and likely never will. The dashboard surfaces that ordering so your patch effort lands where the real-world risk is, not where the biggest number is.

The workflow

Patch every KEV match now. Then walk the EPSS ranking top-down until the probability drops into the noise. Everything below that is real but not this-week urgent, and pretending otherwise just burns your team out. The goal is not zero CVEs. The goal is zero EXPLOITABLE CVEs that you knew about and ignored.

Related posts