stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
cf5b72974f923126944f4dcd47e85864ebb31a3b
git.stella-ops.org/docs/features/unchecked/policy/epss-threshold-policy-gate.md

2.3 KiB
Raw Blame History

EPSS Threshold Policy Gate

Module

Policy

Status

IMPLEMENTED

Description

Policy gate that evaluates EPSS probability thresholds to block or allow releases based on configurable risk bands and delta thresholds.

Implementation Details

  • PolicyGateEvaluator: src/Policy/StellaOps.Policy.Engine/Gates/PolicyGateEvaluator.cs -- multi-gate evaluation including EPSS-aware gates
    • EPSS thresholds integrated into evidence and confidence gate evaluation
    • Gate result types: Pass, PassWithNote, Warn, Block, Skip
  • UnknownRanker EPSS Scoring: src/Policy/__Libraries/StellaOps.Policy.Unknowns/Services/UnknownRanker.cs -- EPSS exploit pressure
    • EPSS >= 0.90: +0.30 (critical exploit likelihood)
    • EPSS >= 0.50: +0.15 (significant exploit likelihood)
    • CVSS >= 9.0: +0.05 (additional severity factor)
    • Combined with KEV status (+0.50) for total exploit pressure
    • Exploit pressure feeds into band assignment: Hot >= 75, Warm >= 50, Cold >= 25
  • Risk Profile Scoring: src/Policy/StellaOps.Policy.Engine/Scoring/ -- EPSS as scoring signal
    • ScoringProfileService.cs -- profile configuration includes EPSS weights
    • ScorePolicyService.cs -- EPSS threshold evaluation per policy
    • IScoringEngine.cs interface with EPSS-aware implementations
  • CVSS + EPSS Combined Scoring: src/Policy/StellaOps.Policy.Scoring/ -- CVSS and EPSS used together
    • CVSS provides severity; EPSS provides exploit probability
    • Combined score informs gate decisions
  • Risk Budget Integration: EPSS-driven unknowns affect budget consumption

E2E Test Plan

  • Configure EPSS threshold gate at 0.80; evaluate finding with EPSS=0.85; verify gate blocks
  • Configure EPSS threshold gate at 0.80; evaluate finding with EPSS=0.50; verify gate allows
  • Verify EPSS + KEV combination: KEV=true with EPSS=0.95 produces exploit pressure 0.80 (0.50+0.30)
  • Verify EPSS + KEV combination: KEV=true with EPSS=0.50 produces exploit pressure 0.65 (0.50+0.15)
  • Verify HOT band assignment for finding with total score >= 75 (high EPSS + high uncertainty)
  • Verify band transition from WARM to HOT when EPSS score increases above 0.90
  • Verify EPSS delta: finding with rising EPSS triggers re-evaluation
  • Verify scoring profile weights EPSS contribution correctly