Empirical Security Empirical Security

Menu

Menu

Request Demo

Log In

Empirical.Models.Global

The Empirical.Models.Global API provides comprehensive, real-time security insights across a vast range of global vulnerabilities and threats. Designed for enterprise security teams, this API enables users to access critical data on known vulnerabilities and exploits, as well as exploitation probabilities empowering organizations to make faster, data-driven decisions to protect their assets.

With predictive scoring powered by machine learning, the API offers an accurate view of exploit likelihood through the Exploit Prediction Scoring System (EPSS). Users have access to historical and near-real time data about CVE details, CPE information, exploits, and historical exploitation data—giving a granular understanding of vulnerability risk and the data provenance to have confidence in the decisions the API enables.

Data Dictionary

Scoring

global

Empirical scores are generated from our Global Model and updated hourly.

empirical_score float (ex. 0.9713943314711305)

empirical_percentile float (ex. 0.9713943314711305)

computed_at datetime (ex. 2025-03-16 18:46:04 UTC)

epss_v4

Empirical Security generates the EPSS scores that are served from first.org. In our enterprise API, we update the scores hourly rather than daily.

epss_score float (ex. 0.9713943314711305)

epss_percentile float (ex. 0.9713943314711305)

computed_at datetime (ex. 2025-03-16 18:46:04 UTC)

epss_v3

Empirical Security generates the EPSS scores that are served from first.org. In our enterprise API, we update the scores hourly rather than daily

epss_score float (ex. 0.9713943314711305)

epss_percentile float (ex. 0.9713943314711305)

computed_at datetime (ex. 2025-03-16 18:46:04 UTC)

Get Score History

Retrieve the entire score history for the CVE. Supported scoring_model values are global epss_v3 epss_v4 all

View Examples

CVE Data

identifier

CVE ID assigned to a vulnerability

string (ex. “CVE-2023-49103”)

description

Text summary describing the CVE ID referenced by the identifier.

string (ex. “An issue was discovered in ownCloud owncloud/graphapi 0.2.x before 0.2.1”)

reserved_at

datetime (ex. “2023-11-21T00:00:00.000Z”)

published_at

datetime (ex. “2023-11-21T00:00:00.000Z”)

last_updated_at

datetime (ex. “2025-01-27T22:24:27.772Z”)

recently_updated

Returns CVEs with updated information and/or any score change greater than 0.0001 within the selected date range.

past_day boolean CVE data has been updated in the last 24 hours

past_week boolean CVE data has been updated in the last 7 days

past_month boolean CVE data has been updated in the last 30 days

cisa_kev_added_at

datetime (ex. “2023-11-30T00:00:00.000Z”)

vendor

The name of the software vendor responsible for the affected software. Spaces in vendor names should be replaced with underscores.

string (ex. “google”)

product

The name of the affected software product. Spaces in product names should be replaced with underscores.

string (ex. “chrome_os”)

tags

Empirical Security generated metadata relevant to the CVE ID

actor string

actor_action string

attack_vector string (ex. “Network”)

component string (ex. [“mail server credentials”, “license key”])

keywords string (ex. [“information disclosure”, “web”])

outcome string (ex. [“credential disclosure”, “web”])

prerequisite string (ex. [“URL is accessed”])

stride string (ex. [“tampering”, “denial of service”])

weakness string (ex. [“reveals the configuration details of the PHP environment”])

references

Discovered links associated with the CVE ID referenced by the identifier.

url

shodan_vulnerability_count

integer (ex. “4”)

hackerone_reports_submitted

integer (ex. “4”)

google_project_zero

present boolean (ex. “false”)

patched_at datetime (ex. “null”)

Get Malware

Provides all malware hashes associated with the given CVE identifier.

md5 integer

sha1 integer

sha256 string

View Examples

Exploitation Activity and Exploits Data

has_exploitation_activity

Secondary source reporting of exploitation (DHS CISA, threat intel blogs, etc) is a useful but incomplete picture of exploitation activity. Our Exploitation Activity data answers the deeper questions about exploitation by measuring actual events and reporting primary source information. This data comes from aggregated sources, and includes malware and network detections. These observations are repeatable, systematic, and represent a much better guide for action.

boolean (ex. true)

exploitation_activity

Mutually exclusive time buckets ensure that data points are not double-counted or misallocated, and we wanted to prevent a single exploitation activity from making multiple categories light up, creating an inaccurate perception of activity volume.

0_to_7_days boolean Days with exploitation activity in the last 7 days

8_to_30_days boolean Any exploitation activity in the last month excluding the last 7 days

31_to_90_days boolean Any exploitation activity in the last 90 days excluding the last 30

91_to_365 boolean Any exploitation activity in last year (365 days) excluding the last 90

alltime boolean Any exploitation activity beyond 1 year (365 days)

exploit_code

Returns CVEs with any discovered exploit code links detected (ex. GitHub Repository Links).

boolean (ex. true)

exploits

Exploit Code is discovered using our proprietary machine learning model, a binary classifier to crawl GitHub and determine if a repository is an exploit or just a mention of a CVE. The model discovers new exploit code daily, and a repository crosses our model threshold, we include it here. Additional exploit code is included if we find it in the plethora of other sources we purchase or scrape.

metasploit See below for examples

exploitdb See below for examples

github See below for examples

metasploit

Exploits data includes:

name string (ex. “ownCloud Phpinfo Reader”)

fullname string (ex. “uxiliary/gather/owncloud_phpinfo_reader”)

description string

disclosure_date datetime (ex. “2023-11-21”)

mod_date datetime (ex. “2023-12-04T20:09:56.000Z”)

github

Exploits data includes:

repo string (ex. “d0rb/CVE-2023-49103”)

prediction float (ex. 0.8660581707954407)

predicted_at datetime (ex. 2025-03-10T16:40:29.000Z)

repo_created_at datetime (ex. 2025-03-10T20:11:29.004Z)

exploitdb

Exploits data includes:

url url

published_on datetime (ex. “2018-08-03”)

author string (ex. “Mark Corrigan”)

platform string (ex. “xml”)

exploit_type string (ex. “webapps”)

CVSS and CWE Data

CVSS

Common Vulnerability Scoring System data (only 4.0 and 3.1 vectors are supported)

version integer (ex. 3.1)

score integer (ex. 10.0)

vector string (ex. CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

metrics See below for examples

sources See below for examples

metrics

CVSS data includes:

attack_vector string (ex. “Network”)

attack_complexity string (ex. “Low”)

privileges_required string (ex. “None”)

user_interaction string (ex. “None”)

scope string (ex. “Changed”)

confidentiality string (ex. “High”)

integrity string (ex. “High”)

availability string (ex. “High”)

sources

CVSS data includes:

string (ex. [“cve@mitre.org”, “mitre”])

cwes

Common Weakness Enumeration data

identifier string (ex. “CWE-200”)

name string (“Exposure of Sensitive Information to an Unauthorized Actor”)

description string (ex. “The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.”)

category_name string (ex. “SFP Secondary Cluster: Exposed Data”)

category_id string (ex. “CWE-963”)

API Response Example

{
  "identifier": "CVE-2023-49103",
  "description": "An issue was discovered in ownCloud owncloud/graphapi 0.2.x before 0.2.1 and 0.3.x before 0.3.1. The graphapi app relies on a third-party GetPhpInfo.php library that provides a URL. When this URL is accessed, it reveals the configuration details of the PHP environment (phpinfo).",
  "cvss": [
    {
      "version": "3.1",
      "score": 10.0,
      "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "metrics": {
        "attack_vector": "Network",
        "attack_complexity": "Low",
        "privileges_required": "None",
        "user_interaction": "None",
        "scope": "Changed",
        "confidentiality": "High",
        "integrity": "High",
        "availability": "High"
      },
      "sources": [
        "cve@mitre.org",
        "mitre"
      ]
    },
    {
      "version": "3.1",
      "score": 7.5,
      "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "metrics": {
        "attack_vector": "Network",
        "attack_complexity": "Low",
        "privileges_required": "None",
        "user_interaction": "None",
        "scope": "Unchanged",
        "confidentiality": "High",
        "integrity": "None",
        "availability": "None"
      },
      "sources": [
        "nvd@nist.gov"
      ]
    }
  ],
  "references": [
    "https://owncloud.com/security-advisories/disclosure-of-sensitive-credentials-and-configuration-in-containerized-deployments/",
    "https://owncloud.org/security"
  ],
  "has_exploitation_activity": true,
  "exploitation_activity": {
    "0_to_7_days": true,
    "8_to_30_days": true,
    "31_to_90_days": true,
    "91_to_365_days": true,
    "alltime": true
  },
  "tags": {
    "actor": [],
    "actor_action": [],
    "attack_vector": [],
    "component": [
      "mail server credentials",
      "license key",
      "ownCloud admin password"
    ],
    "keywords": [
      "information disclosure",
      "web",
      "configuration"
    ],
    "outcome": [
      "credential disclosure",
      "gather information"
    ],
    "prerequisite": [
      "URL is accessed"
    ],
    "stride": [
      "tampering",
      "information disclosure",
      "denial of service"
    ],
    "weakness": [
      "reveals the configuration details of the PHP environment",
      "exposes various other potentially sensitive configuration details"
    ]
  },
  "cwes": [
    {
      "identifier": "CWE-200",
      "name": "Exposure of Sensitive Information to an Unauthorized Actor",
      "description": "The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.",
      "category_name": "SFP Secondary Cluster: Exposed Data",
      "category_id": "CWE-963"
    }
  ],
  "reserved_at": "2023-11-21T00:00:00.000Z",
  "published_at": "2023-11-21T00:00:00.000Z",
  "last_updated_at": "2025-01-27T22:24:27.772Z",
  "cisa_kev_added_at": "2023-11-30T00:00:00.000Z",
  "shodan_vulnerability_count": null,
  "google_project_zero": {
    "present": false,
    "patched_at": null
  },
  "exploits": {
    "metasploit": [
      {
        "name": "ownCloud Phpinfo Reader",
        "fullname": "auxiliary/gather/owncloud_phpinfo_reader",
        "description": "Docker containers of ownCloud compiled after February 2023, which have version 0.2.0 before 0.2.1 or 0.3.0 before 0.3.1 of the app `graph` installed\n          contain a test file which prints `phpinfo()` to an unauthenticated user. A post file name must be appended to the URL to bypass the login filter.\n          Docker may export sensitive environment variables including ownCloud, DB, redis, SMTP, and S3 credentials, as well as other host information.",
        "disclosure_date": "2023-11-21",
        "mod_time": "2023-12-04T20:09:56.000Z"
      }
    ],
    "exploitdb": [],
    "github": [
      {
        "repo": "d0rb/CVE-2023-49103",
        "prediction": 0.8660581707954407,
        "predicted_at": "2025-03-10T16:40:29.000Z",
        "repo_created_at": "2025-03-10T20:11:29.004Z"
      }
    ]
  },
  "hackerone_reports_submitted": 4,
  "scores": {
    "epss_v4": {
      "score": 0.9091291982186883,
      "percentile": 0.996181146025878,
      "computed_at": "2025-03-16 18:46:04 UTC"
    },
    "epss_v3": {
      "score": 0.92099,
      "percentile": 0.99238,
      "computed_at": "2025-03-16 15:46:16 UTC"
    },
    "global": {
      "score": 0.9713943314711305,
      "percentile": 0.9998484036161284,
      "computed_at": "2025-03-16 07:27:24 UTC"
    }
  }
}