How the EG score works
Every CVE in our 147K-corpus gets an EG score — a 0–10 number synthesized from NVD CVSS + CISA KEV + FIRST EPSS + GitHub Security Advisory. This page documents the formula, the confidence rubric, and what we deliberately don't claim.
The four signals we combine
NVD CVSS
Baseline technical score from the National Vulnerability Database. Computed from a fixed vector of attack characteristics — vector, complexity, privileges, scope, impact triad.
Limit: Static after publication. Does not reflect exploitation in the wild.
CISA KEV
CISA's Known Exploited Vulnerabilities catalog. Listing means CISA confirmed real-world exploitation. We floor the EG score at 9.0 for any KEV-listed CVE.
Limit: Reactive — only catches CVEs after exploitation has been observed and reported.
FIRST EPSS
Exploit Prediction Scoring System from FIRST.org. Probability (0–1) that a CVE will be exploited in the next 30 days, trained on real attack telemetry. We elevate severity when EPSS ≥ 0.85.
Limit: Recalculates nightly — freshly-published CVEs typically lack EPSS data for 24-48h.
GitHub Security Advisory
GHSA's vendor-curated CVSS. Often differs from NVD by 1-3 points because it incorporates vendor context (affected versions, exploit availability, patch status).
Limit: Only covers CVEs in software ecosystems GitHub tracks (npm, PyPI, Go, Maven, etc.). Infrastructure-only CVEs are not covered.
The formula (rule order)
Five rules evaluated in priority order. First match wins.
- 1
Rule 1 — KEV exploitation
max(NVD CVSS, 9.0) · severity floor: CRITICAL · confidence: HIGH
Triggers when: CVE is listed on CISA KEV.
Why: Real-world exploitation is the strongest possible risk signal. A KEV-listed CVE with NVD CVSS 6.5 is still operationally critical.
- 2
Rule 2 — EPSS critical
max(NVD CVSS, 9.0) · severity floor: CRITICAL · confidence: HIGH
Triggers when: EPSS ≥ 0.85 (top 5% of CVEs by exploit-probability).
Why: EPSS at 0.85+ correlates strongly with actual exploitation in real attack telemetry. Forward-looking risk worth elevating before KEV catches up.
- 3
Rule 3 — GHSA CVSS
GHSA CVSS value · severity derived from score · confidence: MEDIUM-HIGH (depends on NVD agreement)
Triggers when: GHSA has published a CVSS for this CVE.
Why: GHSA incorporates vendor context that NVD often lacks. When GHSA disagrees with NVD by ±1.0, the disagreement itself is signal.
- 4
Rule 4 — NVD baseline
NVD CVSS · severity derived from score · confidence: LOW (only one source)
Triggers when: Only NVD CVSS is available; no KEV listing, no EPSS, no GHSA.
Why: Honest fallback. Score equals NVD because we have no additional signal to synthesize. Marked LOW confidence and rendered as 'Aggregating' in the UI.
- 5
Rule 5 — No data
0 · severity: NONE · confidence: NONE
Triggers when: No CVSS from any source — typically a CVE in 'reserved' or 'awaiting analysis' state.
Why: We don't make up scores. The CVE shows as unscored until at least one source publishes.
Confidence rubric
Confidence is computed independently from score and tells you how much to trust the synthesis. A HIGH-confidence MEDIUM is more actionable than a LOW-confidence CRITICAL.
- • KEV-listed
- • EPSS ≥ 0.95
- • ≥3 sources agree within ±1.0
- • 2 sources agree within ±1.0
- • GHSA published <30 days
- • Completed NVD analysis
- • Only NVD signal
- • EPSS pending
- • Sources conflict
- • No CVSS from any source
Worked example
CVE-2025-10127
| NVD CVSS | 9.8 (CRITICAL) |
| GHSA CVSS | 7.3 (HIGH) — disagrees by 2.5 points |
| EPSS | 0.04 (low — bottom quartile) |
| KEV | Not listed |
| EG score | 7.3 (HIGH) — MEDIUM confidence |
Why we picked 7.3 over NVD's 9.8: GHSA has more recent vendor context than NVD's static analysis, and disagrees significantly. EPSS is low — meaning attackers aren't targeting this CVE in the wild. KEV is not listed. The combined signal says NVD overweighted theoretical impact relative to actual risk. Rule 3 (GHSA CVSS) wins. MEDIUM confidence because two sources disagree.
What we deliberately don't claim
❌ More accurate than NVD CVSS
NVD CVSS is accurate for what it measures (CVSS-vector math). We measure more things.
❌ Replaces NVD
NVD is one of our four input sources. We are an aggregator, not a replacement.
❌ The source of truth for CVE scoring
MITRE assigns CVEs, CISA maintains KEV, NVD scores. We compose their outputs.
❌ Always right when NVD is wrong
Sometimes we diverge (CVE-2025-10127 above). Often we converge. The diverging cases are where we add the most operational value.
❌ Predicts which CVEs will be exploited next
EPSS (one of our inputs) does that. We surface it; we don't second-guess it.
Frequently asked
What is the EG score?
The EG (EchelonGraph) score is a 0–10 number we compute for every CVE by synthesizing NVD CVSS, CISA KEV (real-world exploitation status), FIRST EPSS (next-30-day exploit probability), and GitHub Security Advisory (vendor-specific CVSS). It re-computes continuously as new signals arrive — typically within 4 hours for high-priority CVEs.
How is the EG score different from NVD CVSS?
NVD CVSS is computed from a fixed vector of technical attack characteristics (attack vector, complexity, privileges, etc.). It does not factor in whether a CVE is actively exploited or how likely it is to be exploited. The EG score adds those signals: KEV-listed CVEs get a HIGH-severity floor, EPSS-critical CVEs get elevated, and disagreements between NVD and GHSA are flagged with explicit confidence indicators.
Why does EG sometimes equal NVD CVSS?
When a CVE is fresh and only the NVD baseline has been published — EPSS has not rescored yet (their model runs nightly), GHSA has not published an advisory (4–72h lag for OSS, never for infrastructure-only CVEs), and CISA has not KEV-listed it — there is no additional signal to synthesize. In that case we display NVD CVSS as the EG score and flag it as 'Aggregating' with LOW confidence. The score upgrades automatically once enrichment data arrives.
When does the EG score differ from NVD CVSS?
Three main triggers: (1) the CVE is listed on CISA KEV — we floor the score at 9.0 because real-world exploitation has been confirmed; (2) EPSS predicts ≥ 85% exploitation probability over the next 30 days — we elevate to CRITICAL severity; (3) GHSA has published a CVSS that differs from NVD by more than 1.0 point — we trust the more recent score with a confidence indicator reflecting the disagreement.
What does the confidence indicator mean?
Every EG score carries a confidence rating: HIGH (≥3 independent sources agree within ±1.0 CVSS, or KEV-listed, or EPSS ≥ 0.95), MEDIUM (2 sources agree, or GHSA published within 30 days), LOW (only NVD signal, or conflicting sources), or NONE (no CVSS from any source yet). Confidence is independent of score magnitude — a high-confidence MEDIUM is more actionable than a low-confidence CRITICAL.
Is the EG score better or more accurate than NVD CVSS?
Honest answer: NVD CVSS is accurate for what it measures (CVSS-vector math). The EG score does not claim to be more accurate — it measures more things. We add exploitation telemetry and forward-looking probability to a score that NVD computes purely from technical characteristics. For triage and prioritization workflows, more signals usually means better decisions, but neither score is a ground-truth substitute for vendor advisories or your own attack-surface context.
How often does the EG score update?
By priority tier: P0 (KEV-listed or score ≥ 9.0) every 4 hours; P1 (score 7.0–8.9) every 12 hours; P2 (score 4.0–6.9) every 24 hours; P3 (score < 4.0 or unscored) every 72 hours; P-cold (>5 years old + low score) every 30 days. The continuous-refresh cadence is the operational differentiator — NVD scores are largely static after publication.
See the EG score in action
Every CVE in our 147K-corpus has an EG score, a confidence indicator, and a rationale you can hover.