Scoring Fields
BreachSpider provides three scoring systems for every CVE: CVSS (industry standard), EPSS (exploitation probability), and BCS (BreachSpider's composite priority score).
CVSS - Common Vulnerability Scoring System
CVSS v3.1 is the industry standard for base severity. BreachSpider stores and displays the full CVSS vector decomposed into human-readable component fields.
Severity Bands
| Severity | Score Range |
|---|---|
| CRITICAL | 9.0 - 10.0 |
| HIGH | 7.0 - 8.9 |
| MEDIUM | 4.0 - 6.9 |
| LOW | 0.1 - 3.9 |
Attack Vector Values
| Value | Meaning |
|---|---|
| NETWORK | Exploitable remotely over the internet |
| ADJACENT | Exploitable from the same network segment |
| LOCAL | Requires local access or user interaction |
| PHYSICAL | Requires physical access to the device |
EPSS - Exploit Prediction Scoring System
EPSS is maintained by FIRST.org and updated daily. It estimates the probability a CVE will be exploited in the next 30 days.
- Score: 0.0 to 1.0 (raw probability)
- Percentile: 0.0 to 1.0 (rank relative to all CVEs in the EPSS dataset)
Interpretation
| Percentile | Interpretation |
|---|---|
| >= 0.95 | Top 5% most likely to be exploited |
| >= 0.90 | Top 10% most likely to be exploited |
| >= 0.75 | Top 25% most likely to be exploited |
| >= 0.50 | Above median exploitation probability |
| < 0.50 | Below median exploitation probability |
A CVE with epss_score: 0.60 and epss_percentile: 0.98 is in the top 2% of all CVEs by likelihood of exploitation - even if the probability number appears modest, the relative rank is what matters for triage.
BCS - BreachSpider Confidence Score
BCS is BreachSpider's proprietary composite priority score (0.0-10.0). It combines CVSS, EPSS, exploitation evidence, and ICS/OT relevance into a single actionable number.
BCS is designed for ICS/OT environments. A CVE with CVSS 7.0 affecting a Modbus-speaking device in a KEV entry ranks higher than a CVSS 9.0 desktop OS vulnerability with no known exploits.
BCS Tier Thresholds
| Tier | Score Range |
|---|---|
| CRITICAL | 9.0 - 10.0 |
| HIGH | 7.0 - 8.9 |
| MEDIUM | 4.0 - 6.9 |
| LOW | 0.0 - 3.9 |
BCS Factors
| Factor | Contribution |
|---|---|
| CVSS base score | Foundation |
| KEV flagged | Strong positive |
| PoC available | Moderate positive |
| Functional exploit | Strong positive |
| Patch available | Negative (reduces urgency) |
| ICS relevance score | Multiplier for OT-relevant CVEs |