Overview of Patching Cadence Issue Types
This Knowledge Base article refers to the following Patching Cadence Issue Types, not the broader Patching Cadence Score Factor:
- Critical/High/Medium/Low-Severity CVSS v3.0 Vulnerability Patching Cadence
- High/Medium/Low Severity CVEs Patching Cadence
What Are Patching Cadence Findings?
Patching Cadence Findings are vulnerabilities associated with CVEs (Common Vulnerabilities and Exposures) that appear in Scorecards when they are not patched within specific timeframes after being published in the NIST National Vulnerability Database (NVD) (NIST NVD).
Why Are Patching Cadence Findings Important?
Patching Cadence Findings reflect an organization’s response to patching vulnerabilities in a timely manner. If vulnerabilities are not patched quickly, it signals poor security posture. Delaying patches increases the risk of being targeted by attackers, which negatively impacts the organization’s Security Score.
When Are Patching Cadence Findings Not Added to the Scorecard?
Patching Cadence Findings will not be added to the Scorecard if the corresponding vulnerability is patched within the timeframes below:
| Severity | Timeframe (Days) |
| Critical-Severity | 30 days |
| High-Severity | 45 days |
| Medium-Severity | 90 days |
| Low-Severity | 120 days |
Note: These timeframes start from the date the CVE is first published in the NIST NVD.
When Are Patching Cadence Findings Added to the Scorecard?
If the vulnerability is not patched within the specified timeframe, the corresponding Severity CVE Patching Cadence findings will be added to the Scorecard.
How Can You Remove Patching Cadence Findings from the Scorecard?
Patching Cadence Findings are intended to reflect an organization’s past behaviour regarding vulnerability remediation. As such, these findings typically remain on the Scorecard for a longer period and only decay over time. Findings can only be removed if they are identified as False Positives — meaning they should not have been added in the first place.
Once the vulnerability is addressed, we will stop monitoring it, and the decay period begins from the date of the last observation of the open vulnerability.
Formula for Decay of Patching Cadence findings:
Decay Date of Finding = Date of Last Observation of the vulnerability + Decay Period
Decay Periods for Patching Cadence Findings
Once a Patching Cadence Finding is added to the Scorecard, the following decay periods apply based on the severity of the vulnerability:
| Severity | Decay Period (Days) |
| Critical-Severity | 150 Days |
| High-Severity | 120 Days |
| Medium-Severity | 90 Days |
| Low-Severity | 60 Days |
Difference Between Service Vulnerability and Patching Cadence Findings
| Aspect | Service Vulnerability in Last Observation | Patching Cadence Findings |
| Remediation | Can be remediated as soon as it is addressed. | Must decay over time based on the severity. |
| Scorecard Addition | Added to the Scorecard immediately once observed. | Only added after the specified timeframes since first publication. |
Comments
0 comments
Article is closed for comments.