Vulnerability Presence Rate (VPR)

• Vulnerability Presence Rate (VPR) is a metric that quantifies software risk by either the probability of exploitation for a CWE or the average vulnerability density per system asset.
• It employs rigorous methodologies by aggregating EPSS scores or asset-based CVE counts to prioritize remediation and integrate into security workflows.
• Empirical findings show that VPR patterns vary across CWE families and system snapshots, enabling precise risk thresholding and dynamic vulnerability management.

The Vulnerability Presence Rate (VPR) is a quantitative metric designed to assess the exposure and risk landscape associated with software vulnerabilities. While the term has appeared in multiple research contexts, its formalization varies: in recent literature, VPR either denotes the empirical probability that at least one vulnerability mapped to a given software weakness (typically a CWE) will be exploited over a defined time window (&&&0&&&), or it refers to the per-asset average of known vulnerabilities at a specific system snapshot (Longueira-Romero et al., 2021). Both interpretations serve as core indicators for vulnerability management, prioritization, and longitudinal security assessment.

1. Formal Definitions

Two prominent, non-conflicting definitions of Vulnerability Presence Rate (VPR) exist in the academic literature:

(i) Exploitation Probability Formulation (Mell et al., 2 May 2024): Let $x$ be a CWE (software weakness) and $d$ a reference date. Let $S_{x}$ denote the set of CVEs (Common Vulnerabilities and Exposures) mapped by NVD to $x$ (including View-1003 descendants). For each $y \in S_{x}$, EPSS($y$, $d$) is the probability, as estimated by the Exploit Prediction Scoring System, that $y$ will be exploited in the subsequent 30 days. The VPR for $x$ at $d$ is then

$$\mathrm{VPR}_x(d) = 1 - \prod_{y \in S_x}(1 - \mathrm{EPSS}(y,d)).$$

This metric captures the aggregate likelihood that at least one vulnerability associated with a given weakness family experiences exploitation in a 30-day window.

(ii) Per-Asset Vulnerability Density Formulation (Longueira-Romero et al., 2021): Let $A(t)$ be the set of $n(t)$ assets in the system at time $t$, and $CVE_A(t)$ the union of all known CVEs affecting any $a_i \in A(t)$. The VPR is defined as

$\mathrm{VPR}(A, t) = \frac{|CVE_A(t)|}{n(t)},$

equivalent to the metric $M_0(A)$—the arithmetic mean of vulnerabilities per asset at snapshot $t$.

2. Data Sources, Inputs, and Processing Steps

Exploitation Probability Formulation (Mell et al., 2 May 2024)

• Primary data feeds:
  • MITRE CVE list (via NVD mirror)
  • CWE taxonomy (View-1003: 130 "most commonly seen" CWEs)
  • NVD mappings from CVE to CWE
  • EPSS feed with daily exploitation probabilities (versioned v1, v2, v3)
• Processing workflow:

1. Construct $S_{x}$ for each CWE $x$ by traversing View-1003 (including all children).
2. At each weekly snapshot $d$, query EPSS($y$, $d$) for each $y \in S_{x}$.
3. Compute VPR$_{x}(d)$ via the product formula above.

• Assumptions:
  • If $y$ does not yet exist in NVD by $d$, EPSS($y$, $d$) = 0 (future vulnerabilities excluded).
  • No filtering by affected vendor or severity; all mapped CVEs are included.

Per-Asset Density Formulation (Longueira-Romero et al., 2021)

• Primary data feeds and representations:
  • Regularly updated CVE feeds (NVD, CVSS)
  • Extended Dependency Graph (EDG) modeling of system assets and associated vulnerabilities
• Processing workflow:

1. Decompose the system into asset nodes.
2. Attach discovered CVEs (and CVSS/CWE tags) to each asset.
3. At each chosen timestamp, snapshot the system state.
4. Compute VPR as $|CVE_A(t)|$ divided by the number of assets $n(t)$.

• Temporal tracking:
  • Produce the time series ${\mathrm{VPR}(A,t_0), ..., \mathrm{VPR}(A,t_T)}$.
  • Optional linear/exponential regression for forecasting.

3. Interpretation, Thresholding, and Classification

Exploitation Probability (EPSS-based) VPR

• VPR = 0%: No indications of exploitation for the weakness in the given window.
• VPR = 50%: Roughly a one-in-two probability that at least one mapped CVE is exploited in the 30-day window.
• VPR = 100%: Certainty that at least one instance is exploited in every interval.

CWE families are classified according to temporal VPR profiles:

• Exploited: Always VPR = 1 (persistent, widespread exploitation)
• High: $0.90 <$ VPR $< 1.00$ at some points, but not persistent
• Variable: Significant fluctuation, with intervals crossing $0.10 <$ VPR $< 0.90$
• Low: VPR $\leq 0.10$ throughout the measured period

Per-Asset Density VPR

• VPR $< 1$: Fewer than one known CVE per asset, on average (low exposure)
• $1 \leq$ VPR $\leq 3$: Moderate average vulnerability load
• VPR $> 3$: High exposure, indicating significant remediation requirements

These interpretations can be rescaled or thresholded to match local risk appetite.

4. Empirical Findings and Case Studies

Exploitation Probability VPR (Mell et al., 2 May 2024)

• Empirical evaluation across 130 View-1003 CWEs + 2 NVD designators over 151 weeks (2021–2024) yielded $18,480$ VPR data points.
• 8% of weakness families were categorized as "Exploited" (VPR = 1 at all times).
• 43% "High", 48% "Variable", 1% "Low".
• 92% of evaluated weaknesses did not experience constant exploitation.
• Four archetypal VPR temporal patterns observed: Drop, Jump, Stable, Step Up.
• For high-prevalence weaknesses (e.g., CWE-79 with $\sim$25,000 mapped CVEs), VPR is saturated at 1 due to cumulative exploitation probability.

Per-Asset Density VPR (Longueira-Romero et al., 2021)

• OpenPLC case:
  • V1: 19 assets, 91 CVEs, VPR ≈ 4.79 (high)
  • V2: 22 assets, 77 CVEs, VPR ≈ 3.50 (moderate)
  • V3: 19 assets, 5 CVEs, VPR ≈ 0.26 (low)
• The removal of a high-vulnerability library (libssl) correlated directly with VPR reduction.
• Asset-level density measures, combined with global VPR, pinpoint remediation priorities.

5. Integration with Vulnerability Management Workflows

• EPSS-based VPR supports real-time risk triage: periodically recompute VPR for prioritized weaknesses using automated pulls from EPSS and NVD.
• Use in conjunction with vulnerability counts (CVE frequency) for code review, patch prioritization, and defensive resource allocation.
• Per-asset VPR, especially in graph-based models, enables tracking of vulnerability load during system evolution or release cycles.
• CI/CD integration is recommended: nightly calculation and threshold-based alerts facilitate rapid responses to VPR excursions.
• Augmentation with severity weighting (e.g., combining CVSS scores per asset) yields enhanced composite risk metrics, referred to as "risk presence rate" (Editor's term).

6. Limitations and Practical Considerations

• EPSS version updates introduce minor discontinuities in VPR time series; no recalibration is required beyond use of the updated scores.
• Both formulations of VPR are only as reliable as their underlying data feeds and mappings (NVD, EPSS, CVE, CWE).
• The per-asset metric might inflate VPR in systems with shared high-exposure components, highlighting the importance of context-aware thresholding and asset attribution.
• Low VPR does not eliminate long-term risk, as future exploitation or disclosure events may alter the status quo. Continuous monitoring is essential.

7. Comparative Summary

VPR Formulation	Unit of Analysis	Formula	Key Application
EPSS-based (Mell et al., 2 May 2024)	CWE family (weakness class)	$1-\prod_{y\in S_x}(1 - \mathrm{EPSS}(y,d))$	Probabilistic exploitation triage
Per-Asset (Longueira-Romero et al., 2021)	Asset group / System snapshot	$|CVE_A(t)| / n(t)$	Exposure monitoring, remediation

By tracing and updating Vulnerability Presence Rate under both definitions, organizations and researchers can quantitatively prioritize their security engineering processes at the weakness family and system asset granularity. Both perspectives are widely adaptable, computationally tractable, and suited for longitudinal risk management and post hoc security analytics.