In this article:
Question
The SecurityScorecard platform did not show any findings for a CVE of my publicly exposed software or service.
Answer
There are two possible reasons why the platform did not detect a CVE for a Scorecards publicly facing software.
- Some software versions are not shared through Nmap scanning or through headers, so we are not always able to match against a known CVE.
- SecurityScorecard does not necessarily scan for every known software type. We do concentrate on the most commonly used software or services. We maintain a list of product and version numbers that we scan for. We consult the NVD to see which product/version pairs are vulnerable to common vulnerability enumerations (CVEs). If a new CVE is added to NVD for a product that is already in our static list, we can detect it. if a CVE is not detectable, we perform a manual review to find out why. If the CVE is for a product we do not detect, we determine if we can add the product to our static list. If so, we add it.