Vulnerability Status Flow & Severity Levels

In this article we aim to clarify the true meaning of the statuses used by the Ethiack team, as well as how each vulnerability is assessed in terms of severity. We want to clarify any questions that may arise regarding these two mechanisms.

Vulnerability Severity Levels

This section aims to clarify how the assessment of the severity of the various vulnerabilities is based and how they are distributed by different levels.

It's important to start by noting that Ethiack's vulnerability severity assessment component is based on CVSS 3.1.

It therefore has different levels which vary according to the impact of the attack vectors on a given system. As we can see in the following image, severity can be represented by different levels, with Informative being the lowest, representing vulnerabilities that tend to indicate bad security practices that don't have a significant impact, although they deserve a note of improvement, and the highest being Cosmic vulnerabilities whose CVSS indicates the maximum possible value of 10.0.

Severity
As we can see, the severity is distributed over different levels defined by their CVSS score [0-10]:

  • None [ 0.0 ]
  • Low [ 0.1 - 3.9 ]
  • Medium [ 4.0 - 6.9 ]
  • High [ 7.0 - 8.9 ]
  • Critical [ 9.0 - 9.9 ]
  • Cosmic [ 10.0 ]

Vulnerability Status Flow

In this section we aim to identify and describe the various available status through which a vulnerability can pass.
It is important to understand which transitions are possible, what the status mean, and what the range of action of the Ethiack team and its customers is in these status

The existing status that can be found on the Ethiack platform at the moment are as follows:

Status


Open :

This is a vulnerability that has yet to be evaluated by Ethiack, i.e. it has been detected, it seems to be valid, but it still needs to be evaluated by the Ethiack team (this status is used more often in human events).

Informative :

This is a vulnerability that has been identified and analyzed, but does not have a significant impact. It is usually used to identify bad security practices or minor system nonconformities.

Duplicate :

This is assigned when a vulnerability has been identified, is valid, but has already been identified before.

Triaged :

This is a vulnerability that has been identified and validated by Ethiack. It already has a severity rating and a CVSS score to assess its severity.

Invalid :

This is usually assigned to vulnerabilities that are false positives or it's not a valid vulnerability for that context.

Accepted :

The name of the status refers to an Accepted Risk, i.e. a vulnerability that has been identified and assessed by Ethiack, but which the client is aware of the impact of, realizes the severity of, but does not consider that at the moment they are going to do anything about it, accepting the risk inherent in that vulnerability.|

Fixed :

This is used to signal a vulnerability that has been fixed on your side.

In the machine event, going "Fixed" automatically leads to the vulnerability being retested in the next scan. If the vulnerability is not fixed, it will go to "Triaged" status again.

In human events, in addition to the status being set to "Fixed", if you want to retest a particular vulnerability, simply click the retest button and the retest will be carried out

Now that we are aware of what each status means, let's understand what the valid paths are for the flow of a vulnerability's status from when it arises until it is reported as Fixed, in the ideal scenario.
This flow can be followed in the diagram below:

status_flow-1

Important to notice:

In the retesting phase a vulnerability that is marked as "Fixed" can return to "Triaged" status if it's not fixed correctly.