Classification
Vulnerability Scanning Documentation
Last updated
Vulnerability Scanning Documentation
Last updated
This document describes the process and standards used by our vulnerability scanner to identify and classify security vulnerabilities. It details key concepts such as , , , and , and explains how severities are determined based on FIRST.org standards.
Our vulnerability scanner adheres to the standards set by for classifying vulnerability severity, as follows: Low, Medium, High, and Critical . These levels are assigned based on the following criteria:
When a vulnerability has an associated CVE and CVSS score, the severity is determined directly by the CVSS score, according to the standard ranges:
Severity Level
CVSS Score
Low
0.1–3.9
Medium
4.0–6.9
High
7.0–8.9
Critical
9.0–10.0
This approach ensures that classification is consistent with global cybersecurity standards, enabling effective prioritization based on severity.
For vulnerabilities that do not have an associated CVE, the scanner automatically classifies them as "Warning" for manual review. This custom level is used because:
The absence of a CVE means there is no standardized CVSS score to determine severity.
These vulnerabilities can pose significant risks, depending on the context, and require manual assessment to determine their true impact.
The “Warning” rating serves as a warning to ensure that these vulnerabilities receive human attention, preventing them from being overlooked.
This strategy reflects a cautious approach, recognizing that vulnerabilities without CVEs can be just as dangerous as those with known identifiers, especially on critical systems.
The scanner uses MITRE standards to ensure consistency in identifying and categorizing vulnerabilities. Each detected vulnerability is associated with:
CWE: Identifies the underlying weakness in the software, such as an input validation failure.
CVE: When available, provides the unique identifier of the vulnerability.
CVSS: Include the numeric score and corresponding severity level (Low, Medium, High, Critical) in a separate field for clarity.
This integration with MITRE standards ensures that the scanner produces detailed reports that are compliant with cybersecurity best practices.
Our vulnerability scanner is designed to accurately and consistently identify and classify security vulnerabilities using industry standards such as CVE, CVSS, and CWE, maintained by MITRE and FIRST.org. The inclusion of a custom “Warning” level for non-CVE vulnerabilities reflects a cautious approach, ensuring that potential risks are not overlooked.
and standards are updated regularly and VScanner adapts to these changes to stay compliant.