On Oct 3rd, 2022, Qualys TruRisk algorithm will be updated to include the following changes to Qualys Vulnerability Score (QVS), Asset Risk Score (ARS) and Qualys Detection Score (QDS).
- Assets with multiple vulnerabilities will be ranked higher compared to assets with only one vulnerability. For example, an asset with weighted average of critical of vulnerabilities of 95 from 2 vulnerabilities, will be ranked higher than an asset with only one critical vulnerability of weighted average of 95.
- Vulnerabilities with only Proof-of-Concept exploit available will be further lowered in the TruRisk ranking.
- Vulnerabilities with exploit code weaponized or with evidence of active exploitation will be ranked even higher than before (>=95).
- Exploit Prediction Scoring System (EPSS) from first.org will be one of the contributing factors for Qualys TruRisk.
- For the QIDs with no published CVEs, QVS will be calculated based on the Real-time Threat Indicators (RTI’s) such as Zero-day, Active Attacks, Ransomware, Wormable, etc.
What to Expect?
- Vulnerabilities with only a Proof-of-Concept exploit available that were previously classified as Critical/High may now be classified as Medium/Low.
- Assets with a higher number of vulnerabilities will be ranked higher than assets with fewer vulnerabilities of the same severity and Asset Criticality Score (ACS).
- Externally facing/exposed assets have a higher-ranking Asset Risk Score (ARS) than internal assets with a similar number and severity of vulnerabilities.