At least one client experienced a discrepancy between the severity of a vulnerability in the notification received when the vulnerability was marked as safe and the severity displayed on our Platform. The issue started on UTC-5 24-03-15 at 16:05 and was reactively discovered 9.2 months (TTD) later by one of our engagement managers, who reported through our help desk [1] that there was an inconsistency in the severity score. The problem was resolved in 20.1 days (TTF), resulting in a total window of exposure of 9.9 months (WOE) [2].
After reviewing our database and its backups, our team identified 6.794 vulnerabilities affected by this incident and corrected their corresponding severity scores. For 6.253 vulnerabilities, our team could not determine whether severity score updates were needed because these vulnerabilities were marked as 'Safe' in our database backups. This means we could not confirm if they had a severity score at any point in time.
This incident also impacted our archived data used for analytics purposes. Severity scores were updated for 1.617 vulnerabilities in the archive, while our team could not determine if severity scores were required for 291 vulnerabilities for the same reasons mentioned above.
The vulnerability severity discrepancies were caused by a flaw in the logic handling severity updates during the closure of vulnerabilities due to reattacks. The mutation logic was modified to use a NoUpdate class that triggered unwanted data deletions in this specific case when None was received as a parameter, which led to the severity being deleted, causing the corresponding vulnerability to fall back to its finding severity. This inconsistency caused mismatched severities in the notifications and the Platform display [3].
The mutation logic for handling reattacks was updated. Additionally, mechanisms were established to validate severity updates before applying them, ensuring that the severity value cannot default to "None" [4].
The process for updating severity during vulnerability closure has been improved to prevent unwanted updates. Additional testing and validation mechanisms have been introduced to safeguard against similar issues in the future. INCOMPLETE_PERSPECTIVE < MISSING_TEST