In 2023 we are coming out with several larger enhancements throughout Security Center where risk management will play a much larger role when managing and prioritizing vulnerabilities.
As a part of this, we will change how Severity levels are set on vulnerabilities based on the specific ranges of the CVSS score from the CVE connected to the vulnerability on Network and Device assets.
Currently, the Severity levels are defined as the following:
- Info: 0
- Low: 0,1–2,0
- Medium: 2,1–5,0
- High: 5,1–8,0
- Critical: 8,1–10,0
Where the score comes from the CVSS 2.0 framework, and the levels/ranges are custom by Holm Security.
After this change to Security Center, the Severity levels will instead look like this:
- Info: 0,0
- Low: 0,1 – 3,9
- Medium: 4,0 – 6,9
- High: 7,0 – 8,9
- Critical: 9,0 – 10,0
These new levels/ranges are primarily derived from the CVSS 3.1 framework, with a fallback to CVSS 3.0 and 2.0 (required for older vulnerabilities where 3.1 does not exist).
Why is this change made now?
We have received customer feedback on our current Severity levels and how they can be improved. Combined with our new risk prioritization features (coming soon) and the standard of CVSS 3.1, we decided that this was the right moment to perform this change.
How is this impacting me?
All vulnerabilities across Security Center will be moved to the new Severity levels. This can result in some vulnerabilities changing the Severity, for example, from Critical to High or Medium to Low. This is a one-time change and is something we do to ensure Security Center stands on a solid foundation for the future.
When is this change taken into effect?
We plan to introduce this change in Q1 2023. We will announce it on our status portal (https://status.holmsecurity.com/) when we get closer to the event.