As mentioned in the training material CVSS has some issues, and in practice it results to a large list of vulnerabilities that need to be addressed even though if it doesn't overlap with the vulnerabilities list that are being exploited or are exploitable. There is the EPSS model from first.org that focuses on that problem. That is on making the list of vulnerabilities to be addressed smaller - i.e., more actionable. What are your thoughts in including this information in addition to CVSS?
As mentioned in the training material CVSS has some issues, and in practice it results to a large list of vulnerabilities that need to be addressed even though if it doesn't overlap with the vulnerabilities list that are being exploited or are exploitable. There is the EPSS model from first.org that focuses on that problem. That is on making the list of vulnerabilities to be addressed smaller - i.e., more actionable. What are your thoughts in including this information in addition to CVSS?