stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity
Files
822a92faeebbceea6fa005b7eddb7572a8b29b41
git.stella-ops.org/docs/features/checked/policy/epss-threshold-policy-gate.md
master 9ca2de05df more features checks. setup improvements
2026-02-13 02:04:55 +02:00

40 lines
2.3 KiB
Markdown
Raw Blame History

# EPSS Threshold Policy Gate
## Module
Policy
## Status
IMPLEMENTED
## Description
Policy gate that evaluates EPSS probability thresholds to block or allow releases based on configurable risk bands and delta thresholds.
## Implementation Details
- **PolicyGateEvaluator**: `src/Policy/StellaOps.Policy.Engine/Gates/PolicyGateEvaluator.cs` -- multi-gate evaluation including EPSS-aware gates
- EPSS thresholds integrated into evidence and confidence gate evaluation
- Gate result types: Pass, PassWithNote, Warn, Block, Skip
- **UnknownRanker EPSS Scoring**: `src/Policy/__Libraries/StellaOps.Policy.Unknowns/Services/UnknownRanker.cs` -- EPSS exploit pressure
- EPSS >= 0.90: +0.30 (critical exploit likelihood)
- EPSS >= 0.50: +0.15 (significant exploit likelihood)
- CVSS >= 9.0: +0.05 (additional severity factor)
- Combined with KEV status (+0.50) for total exploit pressure
- Exploit pressure feeds into band assignment: Hot >= 75, Warm >= 50, Cold >= 25
- **Risk Profile Scoring**: `src/Policy/StellaOps.Policy.Engine/Scoring/` -- EPSS as scoring signal
- `ScoringProfileService.cs` -- profile configuration includes EPSS weights
- `ScorePolicyService.cs` -- EPSS threshold evaluation per policy
- `IScoringEngine.cs` interface with EPSS-aware implementations
- **CVSS + EPSS Combined Scoring**: `src/Policy/StellaOps.Policy.Scoring/` -- CVSS and EPSS used together
- CVSS provides severity; EPSS provides exploit probability
- Combined score informs gate decisions
- **Risk Budget Integration**: EPSS-driven unknowns affect budget consumption
## E2E Test Plan
- [ ] Configure EPSS threshold gate at 0.80; evaluate finding with EPSS=0.85; verify gate blocks
- [ ] Configure EPSS threshold gate at 0.80; evaluate finding with EPSS=0.50; verify gate allows
- [ ] Verify EPSS + KEV combination: KEV=true with EPSS=0.95 produces exploit pressure 0.80 (0.50+0.30)
- [ ] Verify EPSS + KEV combination: KEV=true with EPSS=0.50 produces exploit pressure 0.65 (0.50+0.15)
- [ ] Verify HOT band assignment for finding with total score >= 75 (high EPSS + high uncertainty)
- [ ] Verify band transition from WARM to HOT when EPSS score increases above 0.90
- [ ] Verify EPSS delta: finding with rising EPSS triggers re-evaluation
- [ ] Verify scoring profile weights EPSS contribution correctly
Reference in New Issue View Git Blame Copy Permalink