Server Software Risk Vector: Core Overview Ingrid The Server Software Risk Vector tracks security problems introduced by software that are no longer supported. Supported software gets attention from the development team and vendor, so they can address bugs and vulnerabilities that are discovered. Risk Category: Diligence Default Grade: A Current Rating Impact: 2% Finding Lifetime: 60 Days (The duration a finding impacts your grade if no changes occur). Scan Cadence: Automated every 8 days (or ~3 days via user-requested rescan); Daily automated scans for EASM Enhanced customers. Eligible for Instant Reply? Yes. This data can be used to create a rich picture about the software used by an organization, making it simple to maintain a robust, up-to-date array of server software applications in an organization’s IT infrastructure.Please note: We cannot make any special exemptions with regards to the impact of this risk vector if an organization’s business requirements depend on outdated or insecure server software applications. Please open a ticket with Bitsight Support if you would like to discuss your Server Software findings.How are Server Software Findings Graded?GOOD: The software is up-to-date, has been backported, or has the latest security patches.FAIR: The version has been unsupported for less than 4 weeks. FAIR findings for this risk vector do not have an impact on the rating. There is a grace period of 28 days to allow for validating and updating software packages. During the grace period, findings have a FAIR grade. Findings observed after the end of the grace period and less than 365 days after the end of support have a WARN grade. WARN: The version has been unsupported for less than 52 weeks. Software that are no longer supported are evaluated as WARN for a grace period of 28 days. After 28 days, WARN becomes BAD.BAD: The version has been unsupported for over 52 weeks. The software is either unsupported or it does not have the latest OS-specific patches applied.These impact an organization’s Server Software risk vector grade and Bitsight Security Rating.NEUTRAL: The software status could not be determined or it is unsupported but still receive security fixes. There’s either not enough information to determine if the software version is supported, not enough information to determine if the latest OS-specific patches are installed, or the software is unsupported, but still receives security fixes.These do not impact the Server Software risk vector grade and remediation is unnecessary.Where can I view my Server Software Grades and Findings? SPM App: Findings ➔ Findings Table CM App: Select a company from your Companies List. Go to Vendor Risk ➔ Findings Insurance App: Select a company from your Companies List. Go to Client Risk ➔ Findings Bitsight API: GET /v1/companies/company_guid/findings?risk_vector=server_software Terms that are Good to Know Backported: Some software vendors will duplicate security fixes and bugs from their most recent, supported versions of their software to certain older versions which would otherwise pose a security risk, as a courtesy to their customers. Learn more about backports. Deprecated: Deprecated software versions are those for which newer versions are available, and the software vendor has declared they are ending support for that particular version. Operating System: System software that manages computer hardware and software resources and provides common services for computer programs.Example: Microsoft Windows, Linux, Unix, Mac OS Operating System Distribution: A variation on an operating system that is distributed by a vendor. Ubuntu and Debian are distributions of Linux. BSD is a distribution of Unix. Windows and Mac OS do not have distributions. Outdated/Out-of-date: The software version which could be supported, but it needs a minor update (patch) first. Package: A software package is specific to an operating system distribution. Patch: A patch is an improvement made to software on a specific operating system distribution. Supported: Software versions which are supported have the latest bug fixes and security fixes, and present the least risk to businesses that use them. Unsupported: Software versions which are unsupported are known to have bugs or security holes, and the continued use of unsupported software creates a liability for businesses that don't upgrade to newer versions. Did this not fully answer your question? Learn more about Bitsight's Data Collection Methods here. What Operating Systems does Bitsight support What Server Software does Bitsight support October 23, 2025: Daily automated scans for EASM Enhanced customers June 25, 2025: Instant Reply for user-requested rescans. March 25, 2024: “No findings/low findings” changed to “insufficient data.” November 10, 2023: Linked to finding messages. Related to diligence_risk_category server_software Related articles TLS/SSL Configurations Risk Vector Data Collection Methods Overview TLS/SSL Finding Remediation & Remediation Verification Patching Cadence Risk Vector: Core Overview Diligence Risk Category Feedback 0 comments Please sign in to leave a comment.