Document and automate vulnerability prioritization using EPSS and KEV

Motivation

EPSS and KEV are metrics used for prioritization of security vulnerabilities, namely CVEs. These data can be used to significantly reduce the amount of vulnerabilities a team needs to focus on when considering remediation. Although there are over 250,000 documented CVEs, less than 2,000 are knowingly being exploited (indicated by KEV), and the absolute majority have a near 0% chance of being exploited in any given 30-day window (indicated by EPSS). This means that the remediation work on many high and critical CVEs may be postponed and work on lower-ranked CVEs with known exploits can be expedited. Ultimately, prioritized vulnerabilities can be reduced significantly, giving developers more time for other work.

Work on integrating these sources into GitLab is currently underway in:

• Efficient Dependency & Container Vulnerability ... (&11544 - closed)
• Efficient Dependency & Container Vulnerability ... (&11912 - closed)

Once these data are available, it isn't immediately obvious to all users how effective the data may be for prioritization. It is important not only to make it accessible, but to teach the users how useful it is, and with that emphasize the value GitLab provides to security efforts. This would help users reduce remediation efforts while making them more efficient.

What to do

We should choose the right way for us to present this information and push for spreading it.

• Create a script to use EPSS and KEV data to prioritize CVEs.
• Document the flow in the handbook.
• Upload a video to GitLab Unfiltered.
• Make a blogpost.