What's Happening
We rolled out a change to how the the Phase 3 internal vulnerability scan files process and calculate their contribution to the S2Score. It was enabled August 5, 2024.
Issue
The main issue we found was that the version 3 (v3) scoring didn’t allow for noticeable improvement in the score when vulnerabilities were patched. Our committee of SME's developed a much simpler algorithm that is more transparent and easier to understand for anyone involved.
The idea was that we consider each severity of the vulnerability and we map it to a score in the range of 300 (very poor) to 850 (excellent). Each host is still scored individually on a scale of none, low, medium, high, critical, or critical+. Then we map the percentage of hosts that fall in each category to the score we've applied to that category.
Previous Scoring (v3)
Subtracted points based upon how subjectively "bad" a situation is.
The number of vulnerabilities is weighted by CVSS category and chiseled away at the total S2Score for Phase 3.
Each vulnerability decreased the S2Score incrementally.
This resulted in the calculated S2Score of the vulnerability scan to be less that 300, which is the bottom of the S2Score. Because of the possibility of less than 300 those scores were all set to 300 as the bottom of the range.
In turn, this made it difficult to demonstrate improvement in the S2Score. If several of the vulnerabilities were patched, fixed, or otherwise negated from the score, the calculated Score was sometimes still below 300 so the final score seemed unchanged.
Current Scoring (v4)
The new scoring takes the total hosts affected and looks at the percentage of affected hosts by various levels of vulnerability.
Example: 50 total hosts, 10 of them have one critical-severity vulnerability, 40 of them are patched perfectly.
The math would include that 20% of the hosts have a critical vulnerability so that patching any one of those 10 would decrease the percentage of vulnerable hosts and therefore raise the score.
This allows any remediation effort to be rewarded with a score increase.
Instead of adding severity to vulnerabilities that have known exploits, we remove some severity from vulnerabilities that do not have known exploits.
What to Expect
We understand that there are questions involved, probably the most important will be "what will happen to my existing score(s)?" First, in testing the new algorithm, then team found that in 95% of the cases the score went up. There are a few outlying situations where the score can go down but mostly this is designed to offer a better baseline and set you up for reporting improvements.
Second, you may wonder in what circumstances you might see the score change. Vulnerability scan scores are recalculated when vulnerability scan files are added to or edited in an assessment. When you see a file "processing," it's calculating the score.
Simply copying the Phase, creating a Draft from, or switching into the Current Assessment from another assessment won't recalculate the old score. To do this, you need to:
Open Phase 3 Internal Technical Controls in the old assessment.
Click the "Internal Scan Data" button.
Click "Edit" in the upper-right.
Click "Mark as Complete."
Marking the file complete will recalculate the scores.
Lastly, to aid in the transition between old and new scores, the Internal Scan Data dialog box will continue to include both current and previous scores in the summary screen.
Old algorithm scores will continue to be displayed in this summary until the end of 2024. We are not including both scores in any of the reports. Remember to refresh reports if you need current scores included in current reports.
If you have more questions, please use the in-app chat or submit a ticket via our Support Center.