# Exploit Maturity Mapping

## Status
IMPLEMENTED

## Description
No dedicated exploit maturity mapping service found. The EPSS provider in RiskEngine may partially cover this.

## Module
RiskEngine

## What's Implemented
- **EPSS provider**: `src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.Core/Providers/EpssProvider.cs` (implements `IRiskScoreProvider`)
- **Combined CVSS+KEV+EPSS**: `CvssKevEpssProvider` in same file
- **Scanner EPSS**: `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Epss/EpssProvider.cs`
- **EPSS API endpoints**: `src/Scanner/StellaOps.Scanner.WebService/Endpoints/EpssEndpoints.cs`
- **Golden benchmark corpus**: `src/__Tests/__Benchmarks/golden-corpus/` (includes EPSS/KEV scoring)
- **SBOM vulnerability assessment**: `src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates/Models/SbomVulnerabilityAssessmentType.cs`
- **Policy-level exploit scoring**: `UnknownRanker` uses `EpssScore` for prioritization
- **Tests**: `src/Scanner/__Tests/StellaOps.Scanner.Storage.Tests/EpssProviderTests.cs`

## What's Missing
- Dedicated "exploit maturity mapping" service consolidating all maturity signals (EPSS, KEV, in-the-wild reports) into a unified maturity level (e.g., POC/Active/Weaponized)
- Exploit maturity lifecycle tracking over time
- Integration of in-the-wild exploitation reports beyond KEV

## Implementation Plan
- Create unified exploit maturity service that combines EPSS, KEV, and in-the-wild signals
- Define maturity level taxonomy (POC/Active/Weaponized)
- Expose maturity level in finding detail UI

## Source
- Feature matrix scan