AnsweredAssumed Answered

Qualys Policy on Adding Vulns vs. Adding Zero Days

Question asked by downinej on Nov 29, 2012
Latest reply on Dec 10, 2012 by downinej

I was curious as to howQualys determines if a Vulnerability is a zero day or not, so I made a callinto the support line. According to the representative a vulnerabilityis only a zero day if: it has an active exploit and if the vendorconfirms this is a vulnerability. What is the reason for the AND insteadof an OR statement? Qualys creates a QID for the vulnerability (making it showup on reports, stating this is a vulnerability that needs to beremediated) without vendor confirmation and I am guessing that there is anactive exploit? I haven't dug deep enough into all of the vulnerabilities inthe knowledgebase to see if it even has to have an active exploit...

 

If Qualys determines that avulnerability is a zero day then they will put that in the title....

 

If there is no patch available,no work around, and it has a QID, I believe it should be labeled as a zero day; does anyone have any thoughts on this? (the QID that started this whole deep dive for me was 90703 as I was searching through the KB if anyone is interested)

Outcomes