Black Hat USA 2025 | Vulnerability Haruspicy: Picking Out Risk Signals from Scoring System Entrails

Vulnerability scoring is supposed to bring order to the chaos of risk management, but in practice, it can feel more like reading tarot cards or poking at entrails than applying science. CVSS performs monkey math to force fractal bell curves, EPSS tries to predict exploitation with statistical black magicks, and SSVC ditches math entirely in favor of structured gut feelings. Meanwhile, defenders mix and match shortcuts — KEV lists, vendor advisories, and lived experience — to separate the truly urgent from the merely annoying. But are we actually making better risk decisions, or just using these frameworks to justify what we were going to do anyway? This talk will dig into the strengths, weaknesses, and absurdities of CVSS, EPSS, and SSVC, comparing them to the reality of how security teams actually handle vulnerabilities. This talk will explore where these models help, where they mislead, and whether any of them are meaningfully better than rolling a D20 saving throw vs exploitation. Expect debate, disagreements, and plenty of astrology jokes. By: Tod Beardsley | VP of Security Research, runZero Presentation Materials Available at: https://ift.tt/bnu5d0o

source https://www.youtube.com/watch?v=CW0Awo7pN5M