This article will explain the mapping from Qualys Severity levels of vulnerabilities to Nucleus severity-status combinations.
Qualys has 3 different categories of vulnerabilities, each with levels of severity for the category:
- Vulnerability - These are confirmed active vulnerabilities and have a severity level of between 1-5 (Minimal-Urgent)
- Potential Vulnerability - These are possible vulnerabilities discovered by the Qualys scanner and have a severity level of between 1-5 (Minimal - Urgent)
- Information Gathered - These are informational findings discovered by the Qualys scanner and have a severity level of 1-3 (Minimal - Serious)
Nucleus manages all its vulnerabilities via severity levels and manages the potential status via a Nucleus status. So an Urgent Potential Vulnerability and an Urgent Active Vulnerability from Qualys will both show up as "Critical" in Nucleus, but the Potential vulnerability will display a "Potential" status.
The mappings between Nucleus and Qualys severity levels are as follows:
| Qualys Category | Qualys Severity | Nucleus Severity | Nucleus Status |
|---|---|---|---|
| Vulnerability | 1 Minimal | Informational | Active |
| Vulnerability | 2 Medium | Low | Active |
| Vulnerability | 3 Serious | Medium | Active |
| Vulnerability | 4 Critical | High | Active |
| Vulnerability | 5 Urgent | Critical | Active |
| Potential | 1 Minimal | Informational | Potential |
| Potential | 2 Medium | Low | Potential |
| Potential | 3 Serious | Medium | Potential |
| Potential | 4 Critical | High | Potential |
| Potential | 5 Urgent | Critical | Potential |
| Information Gathered | 1 Minimal | Informational | Active |
| Information Gathered | 2 Medium | Informational | Active |
| Information Gathered | 3 Serious | Informational | Active |
We took this approach in order to standardize the severity from across vulnerability scanners to a more industry-accepted severity ranking, such as the one found on the CVSS scale. Each vulnerability scanner labels their vulnerabilities differently but uses the same scale on the back-end, so we standardized to the 5 levels widely accepted in vulnerability management.
We use Nucleus statuses to differentiate between categories of vulnerabilities, such as potential, waiting for 3rd party, accepted risk, and false positive. This allows for much more flexibility in managing the data.
If you have any questions, please contact us at [email protected].