KEV / EPSS prioritisation

CVE findings get decorated with two real-world signals when the bundle includes them:

• CISA KEV - Known Exploited Vulnerabilities. CISA maintains a catalogue of CVEs with confirmed in-the-wild exploitation. Findings on KEV-listed CVEs are bumped to Critical regardless of CVSS score.
• EPSS - Exploit Prediction Scoring System. A daily-updated probability (0-1) that a CVE will be exploited in the next 30 days. EPSS >= 0.9 bumps the finding to High.

Why these matter

CVSS alone is famously poor at predicting which CVEs actually get exploited - most CVEs never see in-the-wild use, and CVSS 7+ on a CVE for a library you barely import is almost always lower priority than a CVSS 5 KEV-listed CVE for a library that handles your auth.

KEV says "this is being exploited right now". EPSS says "machine-learning model says this is likely to be exploited soon". Vulkro surfaces both.

Output

DEPS
  CVE-2024-21733  tomcat-embed-core 9.0.78
    CISA KEV - actively exploited, added 2024-04-12   [reachable]
  CVE-2024-29025  netty 4.1.107
    EPSS 91%                                          [unreachable]
  CVE-2024-12345  some-low-traffic-lib 0.4.2
    CVSS 8.6 (no KEV / EPSS data)                     [unreachable]

Where the data comes from

The CVE bundle aggregates:

• CVE base data - OSV (primary) + NVD (fallback).
• KEV - CISA's Known Exploited Vulnerabilities Catalog.
• EPSS - FIRST.org's EPSS daily snapshot.

Updated daily. Each CveRecord in the bundle carries optional epss, kev_added, and vulnerable_symbols fields.