I. Introduction
An increasing number of software vulnerabilities are discovered and publicly disclosed every year. In 2016 alone, more than 10,000 vulnerability identifiers were assigned and at least 6,000 were publicly disclosed by the National Institute of Standards and Technology (NIST)
https://www.nist.gov/
. However, only a small fraction of those vulnerabilities (less than 3%) are found to be exploited in the wild [1]–[4] - a result confirmed in this paper. The current methods for prioritizing patching vulnerabilities appear to fall short. Verizon reported that over 99% of breaches are caused by exploits to known vulnerabilities [5].