Skip to main content
Security Performance Management
Continuous Monitoring
Vendor Risk Management
Trust Management Hub
Cyber Insurance
National Cybersecurity

Server Software Risk Vector

Ingrid

Server Software is a Diligence risk vector. It tracks security problems introduced by software that are no longer supported. Supported software gets attention from the development team and vendor, so they can address bugs and vulnerabilities that are discovered.

This data can be used to create a rich picture about the software used by an organization, making it simple to maintain a robust, up-to-date array of server software applications in an organization’s IT infrastructure.

Learn more:

Risks

  • Leaves bugs and vulnerabilities unpatched.
  • Exposes organizations to software bugs that can be exploited by attackers and may disrupt business continuity.

Grading

See how the Server Software risk vector is graded.

Insufficient Data

A default risk vector grade is assigned if there is insufficient or no data

Default: grade-a.png

The use of server software is not required to improve an organization’s cyber security posture. Therefore, there’s no penalty or negative impact to the rating in the absence of Server Software findings.

Lifetime

Lifetime is the number of days a finding impacts the risk vector grade, assuming nothing changes in the future and the finding is not updated with new information. This is defined by the number of days a finding will impact the risk vector grade. Learn why findings have a decay and lifetime period.

Duration: 60 Days

Weight

The Server Software risk vector contributes to the weight of the Diligence risk category, which aggregates the weights of all risk vectors in the category to 70.5% towards Bitsight Security Ratings.

Weight: 2%

Remediation

Resources

Recommendations

  • Identify out-of-date server software installations and update them.
  • Ensure the organization has critical server software set to auto-update, if applicable, and if some of the organization’s production applications depend on certain unsupported versions, their software development teams will need to integrate the newer versions into their code base.
  • Consult your operating system vendors’ software repositories and release notes for more information on supported server software for your organization.

Rescan Base Duration

The Bitsight platform regularly checks for new observations. Findings are rescanned as these observations change, e.g., newly observed Diligence findings or an existing finding was remediated.

Automated Scan: 8 Days

User-Requested Rescan: Instant reply. See timeline for details.

Data

Software support details are regularly updated on a monthly basis.

The following data is updated monthly:

Finding Behavior

The behavior of findings based on remediation and rescan statuses:

New Observation

New observations immediately impact the grade and are assigned its lifetime.

Remediated

  • A new finding with a new rolled up ID is created. It impacts the grade for its 60-day lifetime.
  • The previous finding continues to impact the grade and needs to complete its lifetime. Its rescan status is Assumed Remediated.
  • There is a 28-day grace period after an outdated version to allow for validating and updating software packages.
  • June 25, 2025: Instant Reply for user-requested rescans.
  • March 25, 2024: “No findings/low findings” changed to “insufficient data.”
  • November 10, 2023: Linked to finding messages.

Related articles

Feedback

0 comments

Please sign in to leave a comment.