All low-, medium-, and high-severity Common Vulnerabilities and Exposures (CVEs) that we discover in your domains affect your Scorecard score. Issue types that list CVEs are grouped by severity level, based on each CVE's Common Vulnerability Scoring System (CVSS) score.
Note: SecurityScorecard maps scores using CVSS version 3.0.
Use this article to identify, remediate, and resolve CVE-related issue types in your Scorecard.
Issue types with score-impacting CVEs
Check your Scorecard for the following issue types.
| Issue type | Description | Factor | CVSS v3.0 score range |
|
High-Severity Vulnerability in Last Observation (In API: service_vuln_host_high) |
CVEs we find by scanning the entire internet by IP. Examples: CVE-2018-16844, CVE-2019-20372, CVE-2018-16843. |
Patching Cadence | 7.0–10 |
|
Medium-Severity Vulnerability in Last Observation (In API: service_vuln_host_medium) |
4.0–6.9 | ||
|
Low-Severity Vulnerability in Last Observation (In API: service_vuln_host_low) |
0.0–3.9 | ||
|
High-Severity Content Management System Vulnerabilities Identified (In API: web_vuln_host_high) |
CVEs in content management applications such as WordPress or Drupal, and their plug-ins, which let users create and modify digital content through a common interface. Examples: CVE-2018-7600, CVE-2014-3704, CVE-2015-6659. |
Application Security | 7.0–10 |
|
Medium-Severity Content Management System Vulnerabilities Identified (In API: web_vuln_host_medium) |
4.0–6.9 | ||
|
Low-Severity Content Management System Vulnerabilities Identified (In API: web_vuln_host_low) |
0.0–3.9 | ||
|
High-Severity CVEs Patching Cadence (In API: patching_cadence_high) |
CVEs that remain unresolved in the Scorecard more than 45 days after the CVE was published. These issue types do not identify newly discovered CVEs. Note: A separate set of issue types, High-, medium-, and low-severity CVE patching analyzed, reports statistics on CVEs detected in a network, the percentage resolved in the past 180 days, and how quickly you apply patches. It does not list individual CVEs. |
Patching Cadence | 7.0–10 |
|
Medium-Severity CVEs Patching Cadence (In API: patching_cadence_medium) |
4.0–6.9 | ||
|
Low-Severity CVEs Patching Cadence (In API: patching_cadence_low) |
0.0–3.9 |
View score-impacting CVEs in SSC
To view the Findings table for any of these issue types, go to My Organization > My Scorecard > Issues and select the issue type. The table shows a row for each discovered instance of each CVE to help you investigate.
Tip: The Findings table and its .csv export list a maximum of 500 CVEs. If an issue type has more than 500 CVEs, call the API endpoint for that issue type to retrieve them all. See the API documentation link in the table above.
How we find and flag CVEs
During our recurring scans of the entire internet, we identify exposed services running on 1,300 ports. These scans do not detect services running behind firewalls. We read each service's version from its banner, headers, or other publicly accessible application responses, then correlate the version with published vulnerability data to determine whether the service and version are vulnerable.
We also incorporate some CVE information from third-party sources.
Address CVE-related issue types
Prioritize CVEs by issue type and severity to address the highest-risk vulnerabilities first. Click a CVE in the Findings table to open its detailed entry in the National Vulnerability Database (NVD).
Use the links in the References section to find recent industry advisories, remediation solutions, possible compensating controls, and other resources.
Also, monitor the patching update feeds for products you use on your site, and apply updates as soon as they are available.
After you remediate a finding, submit it to the SecurityScorecard Support team for review.