In this article:
Question
Why did SecurityScorecard platform not show any findings for a CVE of my Software or Service?
Answer
SecurityScorecard can only detect CVEs against products that are exposed on the Internet. As SecurityScorecard employs the outside in approach, we do not have the ability to detect some CVEs (as an example: CVE-2024-38526) that are tied to components that runs locally on machines and cannot be seen from outside.
However if the Service is publicly exposed, it could be because of the below reasons that we did not detect the CVEs:
- Some software versions are not shared through Nmap scanning or through headers, so we are not always able to match against a known CVE.
- SecurityScorecard does not necessarily scan for every known software type. We do concentrate on the most commonly used software or services. We maintain a list of product and version numbers that we scan for. We consult the NVD to see which product/version pairs are vulnerable to common vulnerability enumerations (CVEs). If a new CVE is added to NVD for a product that is already in our static list, we can detect it. if a CVE is not detectable, we perform a manual review to find out why. If the CVE is for a product we do not detect, we determine if we can add the product to our static list. If so, we add it.