In this article:
Question
There is a new zero day vulnerability added to a scorecard, why is the impact set to 'Info'?
Answer
We will typically add a new issue type/signal within 2 days of the zero day being discovered. The issue type will be listed as 'Potentially Vulnerable' under the Application Security factor.
Zero day 'Potentially Vulnerable' issue types are set as 'Informational' as details of the exploit are still emerging. In the case of a product version that is not discoverable via scanning methods, we will also keep the finding as informational.
Because the zero day vulnerability has its own issue type, a rule alert can be setup to be notified if this finding should arrive on any monitored scorecards.
We also offer Zero Day as a Service (ZDaaS). Please see the following link for details: https://securityscorecard.com/zdaas/
See also