Findings for Vulnerability found in the last observation are added to the Scorecard either:
- Right away (if the underlying asset already exists on the Digital Footprint of the Scorecard).
OR - As soon as the asset is added to the Digital Footprint of the Scorecard.
Note: This also applies to findings for the issue types critical-, high- , medium- , and low-severity content management system vulnerabilities identified.
Decay periods for Vulnerability found in Last Observation findings:
The findings under Low/Medium/High/Critical severity Vulnerability found in Last Observation issue types decay after 45 days if the CVE/Vulnerability is patched. However, if the vulnerability is not patched within a certain time period of it getting published in NIST National Vulnerability Database (NVD) (NIST NVD), then Patching Cadence Findings are raised against these CVEs. The following KB highlights more details about that issue type: Understanding Patching Cadence Findings
Resolving CVE findings
In response to resolution requests, we remove CVE findings from the Scorecard for the following reasons:
- The software has been updated and patched.
- The IP was never used by the company (misattribution).
- The software is backported.
- At the time of the finding, the IP did not yet belong to the organization.
For all of the reasons mentioned above, we need to see evidence to remove findings, according to the current product policies in place.
If you have any additional questions or believe that these findings should be removed for another reason, submit a resolution request with additional information explaining the situation. Our Support team reviews each case individually.