RPS Methodology
How DevSecure Intelligence scores vulnerability risk, and why it matters. Every RPS score is deterministic, auditable, and traces back to source signals. No black box.
1. What is RPS?
The Risk Priority Score (RPS) is a composite vulnerability risk metric that fuses multiple intelligence signals into a single, auditable score. Unlike CVSS, which measures potential severity, RPS measures actual risk — combining baseline severity, exploitation probability, and active exploitation evidence. The result is a number that answers the question: which vulnerabilities carry the strongest external risk signals?
The Formula
where KEV_amplifier = 1.5 (if KEV=true) or 1.0 (if KEV=false)
CVSS (weight 0.4)
Baseline severity from NVD, curated across v3.1 → v3.0 → v4.0 → v2.0 → OSV. Provides the static severity floor.
EPSS (weight 0.3)
Forward-looking exploitation probability in the next 30 days, from FIRST.org. Signals likelihood of real-world exploitation.
KEV Amplifier (1.5× / 1.0×)
Active exploitation confirmation from CISA. Multiplies the entire base score when a CVE is being exploited in the wild.
Key Design Decisions
- Additive base (CVSS + EPSS) so non-KEV vulnerabilities still receive a meaningful score.
- Multiplicative KEV amplifier so active exploitation compounds base risk — a CVE being exploited right now matters more.
- Intentionally unbounded above 100 — when all signals align, the score reflects genuine critical risk without artificial caps.
- Deterministic and auditable — every score traces back to source signals. You can reproduce any RPS score from the source data.
Why the weights sum to 0.7, not 1.0
By design. The base score (CVSS + EPSS) represents potential risk and maxes out at 70. The KEV amplifier represents confirmed exploitation and can push the score above 100. This creates a clear tier separation:
- • A non-KEV CVE with perfect CVSS and EPSS scores 70 — it's theoretically severe but not confirmed exploited.
- • A KEV-confirmed CVE with the same signals scores 105 — active exploitation is categorically more urgent.
- • The 35-point gap is intentional — it visually separates “should fix” from “fix right now.”
The old multiplicative formula had three explicit weights summing to 1.0. The canonical formula replaced the third weighted term with an amplifier to create this tier separation, which proved more effective at surfacing actively exploited CVEs in production.
Formula Versioning
Current Version
2.6.8
API Response Field
rps.version
Formula Identifier
additive_base_kev_amplifier
Every RPS score in the API response includes a version field so customers can reproduce historical scores. Formula changes will increment the version number. Changelog: v2.6.8 (May 2026) — Canonical response structure (signals, explanation, data_quality). EPSS 100% wording fix. No formula change. v2.6.7 → v2.6.8: Canonical response structure (signals, explanation, data_quality). EPSS 100% wording fix. v2.6.3 → v2.6.4: Switched from multiplicative to additive base + KEV amplifier.
2. Why RPS ≠ CVSS
CVSS measures potential severity — how bad could this be? RPS estimates external remediation priority using severity, exploitation likelihood, and confirmed exploitation signals — what should I fix right now? Two examples make this concrete.
RPS corrects CVSS
CVE-2020-1472
Zerologon — Windows Netlogon privilege escalation
CVSS says Medium — this would sit in your backlog. RPS says fix it now: active exploitation confirmed.
RPS confirms CVSS
CVE-2021-44228
Log4Shell — Apache Log4j remote code execution
CVSS says Critical. RPS agrees and amplifies — both signals point to maximum urgency.
When CVSS and RPS disagree, RPS catches what CVSS misses. When they agree, RPS confirms and amplifies the urgency. Either way, RPS gives you a consistent prioritisation signal that CVSS alone cannot provide.
What RPS Is — and What It Isn't
RPS answers one question: of all known CVEs, which ones pose the highest external threat right now? It fuses CVSS severity, EPSS exploitation probability, and CISA KEV active exploitation evidence into a single, auditable score.
RPS is a universal external risk signal. It does not account for your specific deployment: whether the vulnerable library is actually in your dependency tree, whether the affected service is internet-facing, or what compensating controls you have in place.
For asset-specific risk, combine RPS with your own vulnerability management context — or use the full DevSecure ASPM platform, which maps RPS to your actual dependency graph and applies Fusion Score to proprietary code findings.
Think of RPS as a weather forecast: it tells everyone the storm is coming. Whether you need to board up your windows depends on where you live.
3. Data Sources
RPS fuses signals from 9 curated data sources. Each source contributes a specific dimension of risk intelligence. All sources refresh daily via our dbt medallion pipeline at 04:00 UTC.
| Source | Contribution | Refresh |
|---|---|---|
| NVD | CVSS scores, attack vectors, CWE mappings | Daily |
| EPSS | Exploitation probability (30-day forecast) | Daily |
| CISA KEV | Active exploitation confirmation | Daily |
| GHSA | GitHub Advisory context and severity | Hourly |
| OSV | Ecosystem-specific vulnerability data | Daily |
| MITRE | Canonical CVE metadata and assignment | Weekly |
| ExploitDB | Public exploit availability | Daily |
| MoreFixes | Verified before/after code patches | Static (FreshFix coming) |
| Internal AI | CWE confidence scoring and classification | Continuous |
4. Data Quality
We publish our enrichment coverage so you know exactly what data feeds every RPS score. These metrics update daily from our production BigQuery pipeline.
Total CVEs
333,192
in corpus
CVSS Coverage
99.1%
with severity score
EPSS Coverage
100%
with exploitation probability
CWE Mapping
83.3%
with weakness classification
Patch Coverage
8.9%
with verified fix data
Fully Enriched
8.43%
all 5 signals present
5. Our Priority Framework
RPS is part of a broader defensive priority model. When managing thousands of vulnerabilities, use this priority order:
KEV-Confirmed
CVEs in CISA's Known Exploited Vulnerabilities catalog are being actively exploited right now. These are your top priority regardless of CVSS score.
High EPSS
CVEs with EPSS percentile above 0.85 are highly likely to be exploited within 30 days. Prioritise these before they make the news.
Internet-Exposed Assets
A CVE on an internet-facing asset is orders of magnitude more dangerous than the same CVE on an internal system. Map your attack surface first.
Business-Critical Assets
Impact matters. A CVE on your production payment system matters more than a CVE on a development sandbox. Inventory your critical systems.
CVSS Severity
CVSS is the baseline, not the final word. Use it to understand the nature of the vulnerability — but don't prioritise by CVSS alone.