In this article:
Question
Why the following Issue Types have a Low Severity starting on July 24th, 2024?
- "Critical Severity CVSS v3.0 Service Vulnerability in Last Observation"
(service_vuln_host_v3_critical) - "High Severity CVSS v3.0 Service Vulnerability in Last Observation"
(service_vuln_host_v3_high) - "Medium Severity CVSS v3.0 Service Vulnerability in Last Observation"
(service_vuln_host_v3_medium) - "Low Severity CVSS v3.0 Service Vulnerability in Last Observation"
(service_vuln_host_v3_low) - "Critical Severity CVSS v3.0 Vulnerability Patching Cadence"
(patching_cadence_v3_critical) - "High Severity CVSS v3.0 Vulnerability Patching Cadence"
(patching_cadence_v3_high) - "Medium Severity CVSS v3.0 Vulnerability Patching Cadence"
(patching_cadence_v3_medium) - "Low Severity CVSS v3.0 Vulnerability Patching Cadence"
(patching_cadence_v3_low)
Answer
The Critical/High/Medium/Low in the Issue Type name reflects the CVSS rating, not the SecurityScorecard Severity. CVSS is a measure of Vulnerability Severity while the SSC Severity is a measure of Breach Risk.
In Scoring 3.0, the severity has been calculated based on our data-driven approach of correlation to breach. Our Data Science team assessed over 15,000 breaches to identify a correlation to breach and Issue Types. These findings were originally left as Informational when Scoring 3.0 was introduced back in April. After collecting more data, we are ready to score these. According to our data, we have observed that these issue types have a low risk for breaches and hence have decided to move all these issue types under "Low Severity/Breach Risk".
Additional Information
Prepare for Scoring 3.0
https://support.securityscorecard.com/hc/en-us/articles/16235105523739-Prepare-for-Scoring-3-0
A Closer Look at Scoring 3.0 Vocabulary and Breach Likelihood
https://support.securityscorecard.com/hc/en-us/articles/22601556325147-A-Closer-Look-at-Scoring-3-0-Vocabulary-and-Breach-Likelihood
Recommended actions to improve your Scoring 3.0 score
https://support.securityscorecard.com/hc/en-us/articles/21213150771355-Recommended-actions-to-improve-your-Scoring-3-0-score
Scoring update release notes for 2024
https://support.securityscorecard.com/hc/en-us/articles/22107693969179-Scoring-update-release-notes-for-2024
Vulnerability Metrics
https://nvd.nist.gov/vuln-metrics/cvss