Add a few explanatory callouts to EPSS howtos #949
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ahouseholder
requested review from
cgyarbrough,
j--- and
sei-vsarvepalli
as code owners
ahouseholder
added
the
content/semantic
sei-vsarvepalli
approved these changes
Sep 12, 2025
Contributor
sei-vsarvepalli
left a comment
sei-vsarvepalli
left a comment
There was a problem hiding this comment.
All looks good. Only thing I can think of is to add this is applicable in both cases for any numeric score that is used to represent a decision point.
Contributor
Author
Yeah, I started writing more about that and realized I have a short essay about "things to consider when you perceive the need to sort". I'm drafting that and will post it into a discussion post soon. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR adds a few explanatory callouts in the EPSS how to articles. One of them mentions that SSVC users could use EPSS to sort within an SSVC outcome category. It's not something we're going to recommend, but it is an available option for folks if they really feel strongly about "sorting" over and above "categorization".
Note
I also intend to start a discussion thread to capture some thoughts on how to approach the "but we need numbers so we can sort" folks. (Not hostile to it, I just think there are a few alternative pathways to consider before concluding that sorting is necessary. Interested to get community feedback on that. Maybe it turns into future guidance in the site.
Copilot Summary
This pull request adds helpful Q&A sections to the documentation for using EPSS with SSVC, making the guides more user-friendly and addressing common questions about combining exploitation data and prioritizing vulnerabilities.
Documentation improvements:
epss_percentiles.mdandepss_probability.mdto clarify the content and goals of each guide. [1] [2]epss_percentiles.mdexplaining how to sort vulnerabilities within a given SSVC outcome category using raw EPSS probability scores as a secondary sorting key.