At least one client experienced a discrepancy between the severity of a vulnerability in the notification received at the time the vulnerability was marked as safe and the severity displayed on our Platform. The issue started on UTC-5 24-03-15 16:19 and was reactively discovered 9.4 months (TTD) later by one of our engagement managers who reported through our help desk[1]. The problem was resolved in 20 days (TTF), resulting in a total impact of 10 months (TTR) [2].
After reviewing our database and its backups, our team identified 6.794 vulnerabilities affected by this incident, and their corresponding severity scores were corrected. For 6.253 vulnerabilities, our team could not determine whether severity score updates were needed because these vulnerabilities were marked as 'Safe' in our database backups. This means we could not confirm if they had a severity score at any point in time.
This incident also impacted our archived data used for analytics purposes. Severity scores were updated for 1.617 vulnerabilities in the archive, while for 291 vulnerabilities, our team could not determine if severity scores were required for the same reasons mentioned above.
The vulnerability severity discrepancies were caused by a flaw in the logic handling severity updates during the closure of vulnerabilities due to reattacks. The mutation logic was modified to use a NoUpdate class that triggered unwanted data deletions in this specific case when None was received as a parameter, which led to the severity being deleted, causing the corresponding vulnerability to fall back to its finding severity. This inconsistency caused mismatched severities in the notifications and the Platform display[3].
The mutation logic for handling reattacks was updated. Additionally, mechanisms were put in place to validate severity updates before applying them, ensuring that the severity value cannot default to "None"[4].
The process for updating severity during vulnerability closure has been improved to prevent unwanted updates. Additional testing and validation mechanisms have been introduced to safeguard against similar issues in the future. INCOMPLETE_PERSPECTIVE < MISSING_TEST