Remove Static EPSS Scores from Templates Due to Inaccuracy

[aringo]

This concerns the use of EPSS (Exploit Prediction Scoring System) scores in Nuclei templates.

Currently, the EPSS scores appear to be statically included in the templates. EPSS is a daily-updated score provided by FIRST.org, so the values can change significantly over time and vary a lot - like if something gets added to the KEV. Additionally, templates are signed so they would need resigned daily.

Issues with stale data: EPSS scores embedded in the templates can quickly become outdated.

• False sense of prioritization: Some user(s) may treat the static EPSS values as current, which can mislead risk assessment and prioritization.
• No clear update mechanism: There's no automated process (as of now) to ensure these scores are regularly refreshed across all templates.

Possible Ideas:

• Remove the static EPSS values from the templates.
• Develop on-demand EPSS fetch mechanism (like an API to fetch the current score of templates if they want to scan by it)
• If taking no action at least include a disclaimer about the EPSS.

Looking at templates today finally decided to say something. Sorry if this has been covered in another thread.

Ringo

[princechaddha]

Hi @aringo, the response time to this discussion was much longer than usual thank you for your patience and for taking the time to create it. We previously had a workflow in place, but it was causing several errors, and this issue ended up being overlooked for quite some time. Thank you for bringing it to our attention. We’ll be working on fixing it. Thanks again!

[princechaddha]

@aringo We have updated the EPSS scores of all CVEs and will continue to do so in upcoming releases. #12526