Outcome

EPSS is now available from the scanner. Customers would like to use it for new policies (for example RFE-7958 )

Scope

Add a new EPSS Probability criterion to policy engine, API and UI

This is an IMAGE related criterion

Attribute	Value
Policy JSON name	EPSS
Attribute (UI Short name)	EPSS
Long Name (UI)	EPSS probability
data type presented in ui	Percentage .  Allowed values:  whole number integers [0 ..100] inclusive
Criterion Operation	use our standard for such fields  : ( >, >=, =, <=, <)
Default value (including example)	(ex. 75%)
UI Description	EPSS (Exploit Prediction Scoring System) provides a numerical score to predict the likelihood of a vulnerability being exploited in the wild
Location in UI	After NVD CVSS
Documentation	In addition to UI description, add a ink to where EPSS is documented https://docs.redhat.com/en/documentation/red_hat_advanced_cluster_security_for_kubernetes/4.8/html/operating/managing-vulnerabilities

===

From an RFE: 

Having EPSS field in security policies, would help be able to create a policy which combines severity and EPSS value (CRITICAL and EPSS > 50%).

Customer would like to be able use the EPSS value in their policies, so that they can create a policies such as:

"Critical CVE and EPSS value greater than 50%" or
"CVSS greater than 8 and EPSS greater than 25%".

This would help the customer:
1.Be able to focus on CVE's which are more likely to get exploited
2.Save Time and Money with creating an affective policy which combines severity and EPSS value (CRITICAL and EPSS > 50%).