Change of Severity scoring and levels from 2023-02-28 23:01 UTC to 2023-03-03 22:01 UTC
This change has now been applied and is now officially generally available!
The Severity levels and the scoring is now primarily derived from the CVSS 3.1 framework, with a fallback to CVSS 3.0 and 2.0 (which is required for older vulnerabilities where 3.1 does not exist).
This applies to vulnerabilities in systems and devices found when scanned using System & Network Scanning products and the lightweight endpoint agent - Device Agent.
If you have any questions, feel free to reach out to firstname.lastname@example.org.
This has been moved and is now scheduled for 1st Mar.
We have postponed this one week forward in time but still aim to finish it before the end of February.
As previously communicated, we will change how severity levels are applied to vulnerabilities based on the specific ranges of the CVSS score from the CVEs connected to the vulnerabilities. This applies to vulnerabilities in systems and devices found when scanned using System & Network Scanning products and the lightweight endpoint agent - Device Agent.
Currently, the Severity levels come from the CVSS 2.0 framework with custom-defined levels/ranges by Holm Security.
After this change to Security Center, the Severity levels and the scoring will be primarily derived from the CVSS 3.1 framework, with a fallback to CVSS 3.0 and 2.0 (which is required for older vulnerabilities where 3.1 does not exist).
How will this affect me?
All vulnerabilities across Security Center will be moved to the new Severity levels. This can result in some vulnerabilities changing the Severity, for example, from Critical to High or Medium to Low. This is a one-time change and is something we do to ensure Security Center stands on a solid foundation for the future.
What do I need to do?
This change will be automatically managed by Holm Security, and we currently don’t have any action required from you as a customer to be performed. When we get closer to this event, we will include information about it and if there is any action required from your side.
Why is this change made now?
We have received feedback from customers on our current Severity levels and how they can be improved. In combination with our new risk prioritization features (coming soon) and the standard of CVSS 3.1, we decided that this is the right moment to perform this change.
When is this change taken into effect?
We plan to introduce this in February 2023. This maintenance window will receive further updates about the event as we get closer to it.
For any questions, reach out to email@example.com.