In this article:
Read this article to understand the following issue types correspond to each other:
- Critical-, high- , medium- , low-severity vulnerability in last observation
- Critical-, high- , medium- , low-severity CVE Patching Cadence
In summary, findings for Vulnerability found in the last observation are added to the CVE patching cadence issue types if an organization takes too long to patch the vulnerability.
Note: This also applies to findings for the issue types critical-, high- , medium- , and low-severity content management system vulnerabilities identified.
If a finding is patched within certain timeframes
If a finding for Vulnerability Found is patched within 30 days (critical severity) 45 days (high severity), 90 days (medium severity), or 120 days (low severity) after CVE publication date, we do not add a corresponding CVE Patching Cadence finding.
If a finding is patched outside of certain timeframes
If a finding for Vulnerability Found is patched, but after the number of days listed in the preceding bullet, only then is a CVE patching cadence finding created.
Note: Both findings can appear on a Scorecard at the same time.
After this vulnerability is observed again, it will update the Last observed date in Patching cadence issue type and extend its lifetime.
Learn more about patching cadence findings
The following points are helpful for understanding how we handle patching cadence findings:
- CVE patching cadence findings are meant to stay on Scorecards because they are a statement about the past behavior of an organization and their ability to respond to the vulnerability.
- These findings are automatically removed from Scorecards after 60 days (low severity), 90 days (medium severity), 120 days (high severity), and 150 days (critical severity) since the last observation of the issue.
- CVE Patching cadence is currently the only issue type on the platform with findings that need to decay on their own.
- To detect findings for patching cadence measurements, SecurityScorecard runs the target against public detection with nmap -sV -Pn <target> and then the association of that target output to CVE lists on https://nvd.nist.gov/vuln/full-listing. Matches against the CPEs appear in the findings. SecurityScorecard cross-references the software version against the CVE list.
Decay periods for findings
Here is a summary of what happens if a finding for Vulnerability found in last observation is not addressed in prescribed timeframes:
Low-severity vulnerability found in last observation
- The finding decays after 45 days*.
- After 120 days from the CVE Publication Date, an additional finding is created under Low-severity CVE patching cadence.
Medium-severity vulnerability found in last observation
- The finding decays after 45 days*.
- After 90 days from the CVE Publication Date, an additional finding is created under Medium Severity CVE Patching Cadence.
High-severity vulnerability found in last observation
- The finding decays after 45 days.*
- After 45 days from the CVE Publication Date, an additional finding is created under High Severity CVE Patching Cadence.
Critical-severity vulnerability found in last observation
- The finding decays after 45 days.*
- After 30 days from the CVE Publication Date, an additional finding is created under Critical Severity CVE Patching Cadence.
* After the date of last observation of the vulnerability found in the last observation finding. Learn more about decay period here
Resolving CVE findings
In response to resolution requests, we remove CVE findings from the Scorecard for the following reasons:
- The IP was never used by the company (misattribution).
- The software is backported.
- At the time of the finding, the IP did not yet belong to the organization.
For all of the reasons mentioned above, we need to see evidence to remove findings, according to the current product policies in place.
If you have any additional questions or believe that these findings should be removed for another reason, submit a resolution request with additional information explaining the situation. Our Support team reviews each case individually.