EPSS与风险评分策略治理（权重-阻断-灰度）最佳实践

---

title: EPSS与风险评分策略治理（权重-阻断-灰度）最佳实践

keywords:

• EPSS
• 风险评分
• 权重
• 阈值
• 灰度

description: 将 EPSS 概率与 CVSS 评分结合权重形成风险分，按阈值实施阻断与灰度策略，提升修复优先级与安全性。

categories:

• 文章资讯
• 编程技术

---

实现示例

type Advisory = { cve: string; cvss: number; epss: number }
type Policy = { wCvss: number; wEpss: number; block: number; warn: number }

function validCvss(s: number): boolean { return s >= 0 && s <= 10 && Number.isFinite(s) }
function validEpss(p: number): boolean { return p >= 0 && p <= 1 && Number.isFinite(p) }

function score(a: Advisory, p: Policy): number { return a.cvss * p.wCvss + a.epss * 10 * p.wEpss }

function evaluate(list: Advisory[], p: Policy): { blocked: Advisory[]; warned: Advisory[]; passed: Advisory[] } {
  const blocked: Advisory[] = []
  const warned: Advisory[] = []
  const passed: Advisory[] = []
  for (const a of list) {
    if (!validCvss(a.cvss) || !validEpss(a.epss)) { blocked.push(a); continue }
    const s = score(a, p)
    if (s >= p.block) blocked.push(a)
    else if (s >= p.warn) warned.push(a)
    else passed.push(a)
  }
  return { blocked, warned, passed }
}

审计与CI门禁

• 记录风险分与决策；阻断项直接失败；警告项进入灰度窗口处置。
• 权重与阈值变更需审批并回归验证。