In this article:
SecurityScorecard regularly introduces changes that could impact your score, such as scoring recalibrations, new issue types, or modified severity levels. We announce these updates in advance here to help you anticipate any impact to your Scorecard and take appropriate action.
Learn more about how scoring updates work:
What is a scoring update?
What should you look for in the platform to know if an update will affect your score?
What is the delay in reporting on a data breach?
June
June 12, 2024 (done on July 24, scoring date 2024-07-23)
Platform recalibration updates
As a part of Quarterly Platform Recalibration planned for July 24, we are making the following updates that might affect your score.
CVSSv3 migration
On April 8, we updated CVSSv3 issue types on the platform as INFORMATIONAL for Scoring 3.0. Starting July 24, these issue types will start to get scored for the customers. With CVSSv3, we have added Critical issue types on the platform to be compliant with CVSSv3.
Reason: For fair and accurate ratings, our scoring baselines must continuously reflect changes in the cybersecurity landscape.
Score impact: The recalculation will cause overall scores to change on the scorecards that are impacted by the above changes.
May
May 30, 2024
Two New Hacker Chatter Signals
We have added two new Hacker Chatter Signals on the platform. These signals provide organizations with information collected from various clearweb and dark web sources.
- Factor: Hacker Chatter
- Issue Types:
-
- Data Leak Detected
- Domain Targeted By Threat Actor Group
- Breach Risk: Informational
Reason: With these signals we gain visibility into threat actors' ongoing campaigns and targets to enable organizations to react and improve their cyber defenses to repel, prevent and stop the attacks from happening.
Score impact: None. These are informational issue types.
March
March 13, 2024
CVSSv3 Data Filter
A data filter is being added to improve the quality of CVSSv3 data by controlling the overlap between CVSSv2 and CVSSv3 issue types and eliminating duplicate findings.
Reason: Some findings that are currently marked as CVSSv2 are CVSSv3, and thus are creating duplicated findings
Score impact: This is expected to have a positive score impact on customers.
January
January 31, 2024
Age Out Update for Issue Type - Exposed Personal Information (Historical)
We are updating the Age Out of Exposed Personal Information (Historical) issue type to 180 days. With this change, any findings which are older than 180 days will be decayed from the scorecards.
Reason: Previously, this issue type did not have an age out.
Score impact: Score gain expected for the customers with findings older than 180 days for this issue type. Learn more about decayed findings here.
January 18, 2024
New issue types for RocketMQ zero-day vulnerability
We are adding 2 new INFORMATIONAL issue types on the platform. These issue types are tied to the vulnerability in RocketMQ. These issue types stem from insufficient permission verification in key components such as NameServer, Broker, and Controller. When these components are exposed to the extranet, it creates a significant security risk.
-
Potentially Vulnerable cve concerning RocketMQ CVE-2023-37582)
- Factor: Application Security
- Severity: INFORMATIONAL
-
Potentially Vulnerable cve concerning RocketMQ (CVE-2023-33246)
- Factor: Application Security
- Severity: INFORMATIONAL
Reason: A threat actor who exploits this zero-day vulnerability can steal data, install malware, change the configuration of the exploited server, and perform other malicious actions. If issue findings appear on your Scorecard, we recommend you take immediate action. See our blog post for more information.
Score impact: None. These are informational issue types.
January 14, 2024
New issue types for Ivanti zero-day vulnerability
We are adding 3 new INFORMATIONAL issue types on the platform. Two of these issue types are tied to the two vulnerabilities affecting Ivanti Connect Secure and Policy Secure products that researchers have discovered in the same exploit chain. These vulnerabilities affect every version of Connect Secure and Policy Secure 9.x and 22.x that Ivanti currently supports.
- Potentially Vulnerable Ivanti Connect Secure or Ivanti Policy Secure (CVE-2024-21887)
- Factor: Application Security
- Severity: INFORMATIONAL
-
Potentially Vulnerable Ivanti Connect Secure and Ivanti Policy Secure Gateways (CVE-2023-46805)
- Factor: Application Security
- Severity: INFORMATIONAL
- Potentially Vulnerable Cisco RV320/RV325 Router
- Factor: Network Security
- Severity: INFORMATIONAL
Reason: A threat actor who exploits this zero-day vulnerability can steal data, install malware, change the configuration of the exploited server, and perform other malicious actions. If issue findings appear on your Scorecard, we recommend you take immediate action. See our blog post for more information.
Score impact: None. These are informational issue types.