Cloudsmith introduces EPSS Scoring in Enterprise Policy Management (EPM)
Cloudsmith’s Enterprise Policy Management (EPM) now supports the Exploit Prediction Scoring System (EPSS), a data-driven metric designed to estimate the probability of a software vulnerability being exploited in the wild. Using EPM in Cloudsmith, you can now use a package’s EPSS score to inform your package workflows, including those around Package Promotion and Package Quarantine.
What is EPSS?
EPSS scores or estimates the likelihood (probability) that a software vulnerability will be exploited in the wild. Cloudsmith users can use EPSS scores to prioritize vulnerabilities most likely to be exploited, to strengthen your organization’s security posture and automate your response to vulnerabilities.
Cloudsmith users can continue to write rego-based policies in Open Policy Agent (OPA) and leverage EPSS-based logic in their OPA policies for more granular, data-informed decisions around vulnerability management. This automated responses approach allows Cloudsmith users to remain protected in real time as Cloudsmith automatically re-checks and re-applies your policies when EPSS scores change.
The above OPA policy will quarantine and tag a software package with “exceeded-epss” if it sees “HIGH” vendor severity rating and if the EPSS score exceeds the defined threshold in your Cloudsmith repository.
For the purpose of a real-world demonstration, we will use the vulnerable Spotipy package as highlighted in CVE-2025-27154. The spotipy example is a Python library specifically used with the Spotify Web API. Affected versions of this package are vulnerable to Incorrect Default Permissions through the CacheHandler class. In this scenario an attacker could gain unauthorized access to admin-level actions on the Spotify account by reading Spotify authentication tokens exposed in the file created by the CacheHandler class with the rw-r--r-- (644) default permissions, as stated by Snyk security researchers.
What’s interesting about this example is that it was picked up by EPSS but hasn’t yet received a “vendor severity” scoring from NIST, emphasizing the need for EPSS as well as traditional vendor scoring sources within our EPM policies. Vulnerability naming schemes, like the Common Vulnerabilities and Exposures (CVE) system, provide standardised identifiers for publicly known IT system vulnerabilities. This CVE classification differs from EPSS in the sense that EPSS uses real-world threat data to predict the likelihood of those vulnerabilities being exploited
In the above example, you can see that spotify was detected with a vulnerability from the recently applied policy. The tag was added with “exceeded-epss” providing that it was the EPSS predictability score that caused the quarantine status. Package quarantining allows users to temporarily block any downloads of a package until you release the package from that quarantine state.
Meet Us at Kubecon London
If you like to see a demo of the Cloudsmith’s EPM capabilities with EPSS confidence scoring, why not call over to Booth S280, South Hall – ExCeL London. We’ll be providing live demos until Friday.
Liked this article? Don\'t be selfish (:-), share with others: Tweet