DEV Community: ethicals7s

I Built an EPSS-Integrated CVE Risk Scoring Tool (Day0Predictor v0.1)

ethicals7s — Fri, 12 Dec 2025 18:58:33 +0000

Security teams don’t have a CVE problem — they have a prioritization problem.

CVSS tells us severity.
EPSS tells us likelihood of exploitation.

But defenders still end up asking:

“Which CVEs do I actually fix first?”

To explore that gap, I built Day0Predictor v0.1 — a defensive, transparent CVE risk scoring tool that integrates EPSS signals with interpretable machine learning.

This is not a zero-day detector and not a scanner.
It’s a prioritization signal designed to be auditable and explainable.

🔍 What Day0Predictor Does

Combines EPSS score + percentile

Adds structured threshold features (≥0.01, ≥0.10, ≥0.50)

Trains a lightweight, interpretable model

Outputs:

Risk score (0–100)

Features used

Reasons for the score

Clear disclaimers

No black box. No hype.

🧠 Why EPSS Alone Isn’t Enough

EPSS is powerful, but in practice:

Scores fluctuate daily

Context is missing (attack patterns, structure)

Defenders still need explanation

Day0Predictor treats EPSS as strong evidence, not truth.

Think of it as:

EPSS + structure + explainability

🧪 Example Output
{
"cve_id": "CVE-2021-44228",
"risk": 98,
"mode": "trained_model_epss",
"features": {
"epss": 0.94358,
"percentile": 0.99957,
"epss_ge_050": 1.0
},
"reasons": [
{ "feature": "epss", "direction": "up" },
{ "feature": "percentile", "direction": "up" }
]
}

This is the kind of output defenders can audit and trust.

🛠️ CLI Usage

Score a CVE directly by ID using EPSS:

day0predict score-epss \
--cve-id CVE-2021-44228 \
--model models/day0predict.joblib \
--format json

You can also score CVE JSON files directly.

📊 Model Notes

Logistic regression (intentionally simple)

Handles class imbalance

ROC-AUC ≈ 0.92

Explainability prioritized over complexity

This tool is meant to support human judgment, not replace it.

📦 Open Source

GitHub:
👉 [https://github.com/ethicals7s/day0predictor-v0.1]

(https://github.com/ethicals7s/day0predictor-v0.1)

MIT licensed. Feedback and PRs welcome.

🔮 What’s Next

Ideas for v0.2:

Time-aware training (train on past → predict future)

Explicit CISA KEV features

Lightweight web demo

Expanded text feature analysis

🧠 Final Thought

Security doesn’t need more hype tools.

It needs boring, honest, defensible signals that help humans decide what matters now.

That’s what I tried to build with Day0Predictor.

My First Ethical Open Redirect Scanner: From Zero to Shipped

ethicals7s — Sun, 07 Dec 2025 01:39:01 +0000

Hey dev community! I'm ethicals7s, a self-taught hacker grinding from zero—no mentors, just raw determination after losing my parents young. In a few intense days, I designed, coded, and shipped my first ethical open redirect vulnerability scanner in Node.js. This tool isn't just basic—it's optimized with async parallel scans, rate limiting for responsible testing, and JSON export for pro-level logging, making it faster and more robust than my earlier Python attempts. Here's the full breakdown: my journey, the tech behind it, and how you can dive in.
The Journey

As someone building my way up in tech, I wanted a tool to automate bug bounty hunts for open redirects—those sneaky params that can lead to phishing or worse. I started with research on OWASP guidelines, sketched the logic (payload injection, HTTP status checks), and coded it step by step. Debugging async issues and adding ethics (like delays to avoid DoS) was the real grind, but it taught me tons about full-stack security. This is my unconventional route to senior-level skills—turning challenges into code that matters.
Features

Batch testing: Reads URLs from a text file for efficient scans.
Payload injection: Appends ?redirect=https://evil.com to detect vulnerable redirects.
Async parallelism: Uses Promise.all for simultaneous checks—blazing fast on multiple URLs.
Rate limiting: Built-in 1-second delay per scan to prevent abuse and stay ethical.
JSON export: Saves results as structured data for analysis or reports.
Ethical focus: Designed for permitted testing only, with safe examples and warnings.

Install
Get the dependencies with npm:
npm install axios yargs

Usage

Create urls.txt with one URL per line (safe tests only—e.g., known redirect mimics):texthttps://www.google.com/url?q=https://evil.com
https://example.com
https://www.koni-store.ru/bitrix/redirect.php?event1=&event2=&event3=&goto=https://google.com

Run the scanner:node index.js scan

Example Output

Scanning for open redirects (ethical tests only)...
https://www.google.com/url?q=https://evil.com is VULNERABLE.
https://example.com is SAFE.
https://www.koni-store.ru/bitrix/redirect.php?event1=&event2=&event3=&goto=https://google.com is VULNERABLE.

results.json (auto-generated):
text[
{
"url": "https://www.google.com/url?q=https://evil.com",
"status": "VULNERABLE"
},
{
"url": "https://example.com",
"status": "SAFE"
},
{
"url": "https://www.koni-store.ru/bitrix/redirect.php?event1=&event2=&event3=&goto=https://google.com",
"status": "VULNERABLE"
}
]

Code Snippet (index.js)
Here's the core—clean, efficient, and ready to fork:
JavaScriptconst fs = require('fs');
const axios = require('axios');
const path = require('path');
const yargs = require('yargs');

const MALICIOUS_DOMAIN = 'evil.com';
const INPUT_FILE = path.join(__dirname, 'urls.txt');

async function checkForOpenRedirect(url) {
try {
const testUrl = ${url}?redirect=https://${MALICIOUS_DOMAIN};
const response = await axios.get(testUrl, { maxRedirects: 0, validateStatus: null });
if (response.status > 300 && response.status < 400) {
const location = response.headers.location;
if (location && location.includes(MALICIOUS_DOMAIN)) {
return true;
}
}
return false;
} catch (error) {
console.error(Error checking ${url}: ${error.message});
return false;
}
}

async function main(file = INPUT_FILE) {
if (!fs.existsSync(file)) {
console.error(Input file not found: ${file});
console.log('Please create a urls.txt file with one URL per line. Use safe tests only.');
return;
}
const urls = fs.readFileSync(file, 'utf-8').split('\n').filter(Boolean);
console.log('Scanning for open redirects (ethical tests only)...');
const results = await Promise.all(urls.map(async (url) => {
const vulnerable = await checkForOpenRedirect(url);
await new Promise(resolve => setTimeout(resolve, 1000)); // Rate limit
return { url, status: vulnerable ? 'VULNERABLE' : 'SAFE' };
}));
results.forEach(({ url, status }) => console.log(${url} is ${status}.));
fs.writeFileSync('results.json', JSON.stringify(results, null, 2)); // JSON export
}

// CLI
yargs.command('scan', 'Scan for open redirects', {
file: { description: 'Input file', alias: 'f', type: 'string', default: 'urls.txt' }
}, (argv) => main(argv.file))
.help()
.argv;
Notes

Ethical Use Only: Permission-based testing only. Inspired by bug bounties—report responsibly. No production scans without consent.
License: MIT—fork it on GitHub: https://github.com/ethicals7s/ethicals7s-redirect-hunter

What do you think? Fork, test, or suggest improvements—let's collab! Next: Fraud detector or cert grind. Feedback welcome!