# EPSS integration guide

EPSS is a probabilistic exploit signal used alongside CVSS and KEV to
prioritize vulnerabilities. StellaOps stores EPSS at scan time for replay
and can also track live EPSS for triage.

Key signals
- epss_score: probability 0.0 to 1.0 of exploitation within 30 days.
- epss_percentile: rank against all scored CVEs.
- model_date: date of the EPSS model snapshot.
- EPSS does not use numbered versions; model_date is the canonical identifier.

Versioning clarification
- EPSS does not have numbered versions like CVSS; references to "EPSS v4" are shorthand.
- model_date is the authoritative identifier for a daily EPSS snapshot.
- model_version in EPSS CSV headers refers to the ML model architecture, not a public EPSS version.

Risk scoring (simple profile)
- risk_score = clamp01((cvss / 10) + kev_bonus + epss_bonus)
- epss_bonus by percentile:
  - >= 99th: +0.10
  - >= 90th: +0.05
  - >= 50th: +0.02
  - < 50th: 0.00

At-scan evidence
- epss_at_scan is immutable and used for deterministic replay.
- epss_current can be used for live triage but does not alter past decisions.

Offline bundles
- EPSS data is packaged in risk bundles for air-gapped imports.
- Bundle includes epss_scores and metadata with hashes and model_date.

Staleness guidance
- Online: update daily.
- Air-gapped: import weekly minimum.
- If stale, fall back to CVSS and KEV only.

Related references
- docs/guides/epss-integration.md
- docs/guides/epss-integration-v4.md
- docs/architecture/epss-versioning-clarification.md
- docs/risk/overview.md