We have implemented EPSS for our vulnerability severity calculation and then apply remediation targets based on the calculated severity.
What we are having some issues with is that when the EPSS scores are updated we are seeing some vulnerabilities jump from a low to a critical overnight and as they were identified some time ago they are automatically being reported as overdue and missing the target.
Does anyone have any guidance, ideas or anything coming in the platform that would enable us to build some rules or something around the EPSS calculation that if there is a change in the EPSS score that would cause this that the vulnerability could be in some transitive state for a period of time to give the teams time to be notified and address the vulnerability before it its reported of overdue?
