[REVIEW] patch-prioritization: bound relative EPSS trend escalation

[clynbmilio]

Skill Being Reviewed

Skill name: patch-prioritization
Skill path: skills/vuln-management/patch-prioritization/SKILL.md

False Positive Analysis

Benign vulnerability record that triggers a false positive:

finding:
  cve: CVE-2099-0001
  affected_component: internal package mirror
  asset: dev-mirror-02
  environment: development
  internet_exposed: false
  business_criticality: low
  cisa_kev: false
  public_poc: false
  active_exploitation_evidence: false
  patch_available: true
  ssvc_decision: Scheduled
  epss:
    score_30_days_ago: 0.0005
    current_score: 0.0016
    absolute_change: 0.0011
    relative_change: 220%
    current_probability_percent: 0.16%

Why this is a false positive:

Step 3 classifies an EPSS trend as Surging when EPSS increased by >= 0.2 absolute or >= 200% relative in 30 days, and then says to escalate one SLA tier immediately. This record crosses the relative threshold even though the current EPSS probability is still only 0.0016 and the absolute movement is 0.0011.

That creates an operational false positive: a low-criticality, non-exposed development asset can be moved into out-of-cycle patching because a near-zero baseline tripled. FIRST describes EPSS as a probability signal between 0 and 1 and says it is one input in risk-based vulnerability management, not a standalone risk score. A relative-only threshold from a tiny baseline treats mathematical noise as urgency.

A better result for this example is:

• Trend: Low absolute probability - relative increase noted
• SLA action: keep the existing SSVC-driven SLA unless asset exposure, exploit intelligence, KEV status, or a meaningful absolute EPSS increase justifies escalation
• Report note: "Relative EPSS change is high, but current probability and absolute delta remain low; monitor for continued growth"

Coverage Gaps

Missed variant 1: Relative threshold from a near-zero baseline

cve: CVE-2099-0002
epss_30_day_prior: 0.0003
epss_current: 0.0010
relative_change: 233%
absolute_change: 0.0007
current_percentile: low

Why it should be caught:

The skill should not classify this as Surging just because the relative percentage is large. For very small baselines, relative change is unstable and can overstate operational urgency. The trend rule needs a minimum current EPSS floor, a minimum absolute delta, or both before a relative increase can trigger SLA escalation.

Missed variant 2: Missing or zero historical EPSS creates undefined relative change

cve: CVE-2099-0003
epss_30_day_prior: 0
epss_current: 0.003
relative_change: undefined_or_infinite
history_status: first_seen_recently

Why it should be caught:

If historical EPSS is absent, zero, or newly available, relative percentage can be undefined or effectively infinite. The skill currently has Surging, Rising, Stable, and Declining, but no explicit Insufficient History state. Without that state, new CVEs or newly scored CVEs may be escalated or normalized incorrectly.

Missed variant 3: Probability and percentile disagree with the trend label

cve: CVE-2099-0004
epss_30_day_prior: 0.0008
epss_current: 0.0022
relative_change: 175%
absolute_change: 0.0014
percentile_change: minimal
asset_exposure: internal_only

Why it should be caught:

The skill asks for both EPSS score and percentile, but the trend classification only uses score movement. If the current probability remains extremely low and percentile remains in a low cohort, the report should avoid presenting the finding as an urgent trend alert. A defensible report should show probability, percentile movement, and data quality before changing an SLA.

Missed variant 4: Relative threshold bypasses SSVC primacy

ssvc_decision: Scheduled
exploitation: None
exposure: Controlled
automatable: No
human_impact: Low
epss_relative_change_30d: 240%
epss_current: 0.0012

Why it should be caught:

The skill says SSVC is the primary driver, but Step 3 says Surging EPSS escalates one SLA tier immediately. A relative-only EPSS spike can therefore override a low-urgency SSVC outcome even when exploitation, exposure, and impact do not support out-of-cycle remediation.

Edge Cases

• EPSS history can be missing for newly published CVEs or for CVEs added to the feed after publication; this should produce Insufficient History, not Surging or Stable.
• A tiny EPSS value can increase by hundreds of percent while remaining below a locally meaningful action threshold.
• Historical trend data can be stale, cache-derived, or scanner-supplied; trend labels should include source date and freshness before SLA changes are made.
• Development, test, sandbox, and internal-only assets can tolerate a different response when there is no exploit evidence and the absolute EPSS probability remains very low.
• A CVE can have a low EPSS score but become urgent through KEV listing, observed exploitation, exposed asset context, or high human impact; the proposed fix should preserve those stronger escalation paths.

Remediation Quality

• Fix resolves the vulnerability
• Fix doesn't introduce new security issues
• Fix doesn't break functionality
• Issues found: Add guardrails to the EPSS trend classifier:
  • classify relative-only growth from near-zero baselines as Monitor unless current EPSS and absolute delta exceed configurable policy floors;
  • add an explicit Insufficient History trend state for missing, zero, or newly available historical data;
  • require trend alerts to display current probability, absolute delta, relative delta, percentile movement, and data source date;
  • preserve SSVC primacy by allowing EPSS trend to recommend escalation only when supported by meaningful probability, exposure, exploit intelligence, or local policy.

Comparison to Other Tools

Tool / Framework	Catches this?	Notes
FIRST EPSS user guide	Yes	Explains that EPSS is a probability signal and one input in vulnerability management, not a standalone risk score.
FIRST EPSS model guidance	Partial	Notes that example cutoffs are arbitrary rather than official universal thresholds; local policy must set action thresholds.
FIRST EPSS API	Partial	Provides current score, percentile, and time-series data, but the skill must define how to handle missing or near-zero history.
CERT/CC SSVC	Partial	Keeps remediation action tied to stakeholder decision points such as exploitation, exposure, automatable exploitation, and human impact.
Enterprise VM tools	Partial	Common platforms can display EPSS and trends, but organizations still need policy floors to avoid noisy low-probability escalations.

Overall Assessment

Strengths:

The skill has a practical structure for patch backlogs: it combines SSVC, EPSS, KEV, SLA tiers, compensating controls, maintenance windows, and risk exceptions. It also correctly warns against CVSS-only prioritization and requires evidence for compensating controls.

Needs improvement:

The EPSS trend classifier is too sensitive to relative percentage changes from tiny baselines. Since Step 3 can immediately escalate an SLA tier, the current >= 200% relative rule can convert low-probability noise into urgent patch work. The skill also needs a missing-history state so new or incomplete EPSS records do not produce misleading trend labels.

Priority recommendations:

1. Replace absolute OR relative trend escalation with policy floors such as current EPSS >= X and absolute delta >= Y before relative growth can trigger Surging.
2. Add Insufficient History for missing, zero, stale, or first-seen historical EPSS values.
3. Report absolute delta, relative delta, current probability, percentile movement, source date, and history status in every EPSS trend alert.
4. Make low-baseline relative spikes recommend Monitor rather than immediate SLA escalation unless SSVC, KEV, exploit intelligence, exposure, or human impact also supports escalation.
5. Document the EPSS thresholds as local policy defaults rather than universal standards.

Sources Checked

• FIRST EPSS User Guide: https://www.first.org/epss/user-guide.html
• FIRST EPSS Model: https://www.first.org/epss/model
• FIRST EPSS API: https://api.first.org/epss/
• CERT/CC SSVC: https://certcc.github.io/SSVC/
• Current skill reviewed: https://github.com/UnitOneAI/SecuritySkills/blob/main/skills/vuln-management/patch-prioritization/SKILL.md

Bounty Info

• I have read and agree to the CONTRIBUTING.md bounty terms.
• Preferred payment method: PayPal; payout email can be provided privately after acceptance.

[DENGXUELIN]

/attempt #1210

I am taking a focused implementation pass on skills/vuln-management/patch-prioritization/ for the EPSS near-zero baseline trend issue.

Scope:

• add policy floors before relative EPSS growth can classify as Surging/Rising;
• add explicit Low-baseline Monitor and Insufficient History outcomes;
• require current probability, absolute delta, relative delta, percentile movement, source freshness, and history status before trend-driven SLA changes;
• add vulnerable/benign calibration fixtures for near-zero relative growth versus meaningful absolute growth.

Bounty target: Improver Moderate ($100) if accepted. Payment details can be provided privately after maintainer acceptance.