Skip to content

Add KEV ransomware EPSS evidence gates#1471

Open
jddark62 wants to merge 1 commit into
UnitOneAI:mainfrom
jddark62:improve/patch-epss-kev-ransomware-1466
Open

Add KEV ransomware EPSS evidence gates#1471
jddark62 wants to merge 1 commit into
UnitOneAI:mainfrom
jddark62:improve/patch-epss-kev-ransomware-1466

Conversation

@jddark62

@jddark62 jddark62 commented Jun 6, 2026

Copy link
Copy Markdown

Summary

Closes #1466.

This updates patch-prioritization with enforceable evidence gates for active exploitation, KEV ransomware usage, EPSS trend acceleration, low-EPSS deferral guardrails, compensating-control TTL, and virtual patching for systems that cannot be physically patched inside SLA.

What Changed

  • Add PATCH-ACTIVE-01 through PATCH-ACTIVE-08 checks for missing KEV enrichment, KEV ransomware emergency escalation, low-EPSS-only deferrals, unaccelerated rising EPSS trends, missing exception TTL, incomplete virtual patch evidence, unhandled unpatchable systems, and missing Not Evaluable states.
  • Add decision rules for P0 KEV ransomware handling, low-EPSS deferral, EPSS rising/surging acceleration, virtual patch TTL caps, and Not Evaluable evidence gaps.
  • Extend vulnerability inventory with KEV ransomware and active-exploitation evidence fields.
  • Add low-EPSS deferral and ransomware KEV override tier-assignment rules.
  • Add exception TTL fields to compensating-control assessment.
  • Add RASP/API gateway virtual patching as a compensating control, with rule ID, protected scope, bypass test, telemetry, and rollback evidence requirements.
  • Extend report output with active exploitation / deferral evidence and virtual patch / exception TTL matrices.
  • Add six YAML fixtures covering KEV ransomware under-prioritization, CVSS-critical low-EPSS false deferral, rising EPSS without acceleration, missing compensating-control TTL, incomplete virtual patch evidence, and a complete risk-based deferral package.

Validation

  • git diff --check
  • Parsed all 6 YAML fixtures successfully
  • Markdown fence balance check
  • Marker/content scan for PATCH-ACTIVE, knownRansomwareCampaignUse, KEV ransomware, low EPSS, virtual patching, exception TTL, Not Evaluable, and 1.0.1
  • Live official reference checks returned HTTP 200 for CISA KEV JSON, FIRST EPSS API/docs, SSVC, and CISA BOD 22-01
  • Privacy scan for local paths, personal email, and workspace identifiers

Bounty Info

  • I have read and agree to the CONTRIBUTING.md bounty terms.
  • Preferred payment method can be coordinated privately after maintainer acceptance.

/claim #1466

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[REVIEW] patch-prioritization: add EPSS v3 'Active Exploitation' weighting and CISA KEV 'Ransomware' labels

1 participant

@jddark62