AnsweredAssumed Answered

Qualys' Definition of Zero-day

Question asked by derekv on Feb 26, 2019
Latest reply on Feb 27, 2019 by derekv

Can someone from Qualys provide clarity on what Qualys views as a zero day vulnerability? I see a ton of inconsistency in the way Qualys title's vulnerabilities... Some vulnerabilities are appended with " - Zero day" but the majority are not... There a ton of vulnerabilities with no solution but Qualys doesn't mark them as such... 

 

Example: QID - 371535 (PuTTY SCP Client Spoofing Vulnerability). This impacts all released versions of putty (.7 and under). No patch has been released. However, Qualys doesn't call this a zero-day. The standard definition of a 0-day most companies use is a vulnerability that has been released/published/announced that has no patch. But Qualys doesn't seem to adhere to this. Please provide guidance on how/when you do label things 0days. 

Outcomes