The Common Vulnerability Scoring System (CVSS) is an open framework for communicating the characteristics and severity of software vulnerabilities. With the latest version of CVSS version 3.1, Qualys supports CVSS v3.1 Scoring Systems for Vulnerability Detections.
Qualys as an Approved Scanning Vendor (ASV), will use CVSS v3.1 to score report vulnerabilities and compute PCI DSS Compliance Scorings.
As part of this change, the PCI categorization for vulnerabilities will use CVSS v3.1 Base Score in computing PCI DSS Compliance Scorings. if the CVSS v3.1 base score is 4.0 or higher, the Vulnerabilities compute for PCI DSS compliance scoring, and the Vulnerabilities are PCI Fail per ASV Program Guide.
For additional transparency to Qualys Customers, we use the below mechanism by Qualys for PCI DSS compliance scoring to vulnerabilities.
- If the NVD entry for a specific CVE identifier includes a CVSS v3.1 score, then Qualys will publish the CVSS v3.1 score in the report.
- If the NVD entry for the CVE identifier does not include a CVSS v3.1 score, then Qualys will publish the CVSS v3.0 score in the report.
- If the NVD entry for the CVE identifier does not include either a CVSS v3.1 or CVSS v3.0 score, then Qualys will publish the CVSS v2.0 score in the report.
- Finally, if the NVD entry for the CVE identifier does not include any CVSS score (or there is no NVD entry for the CVE identifier), then Qualys will calculate and publish the base score using CVSS v3.1 calculator.
In the upcoming version of Qualys release of VM & PCI – 10.22.1.0-2, Qualys Customers will observe an increase in the Vulnerability count in PCI attributes, which can be noticed in the vulnerability & PCI Merchant Portal reports.