Lifetime is the number of days a finding impacts the risk vector grade, assuming nothing changes in the future and the finding is not updated with new information. This is defined by the number of days a finding will impact the risk vector grade. Learn why findings have a decay and lifetime period.
Compromised Systems
The lifetime of Compromised Systems risk vectors is 180 days.
Diligence
- SPF Domains = 60 Days
- DKIM Records = 60 Days
- TLS/SSL Certificates = 60 Days
- TLS/SSL Configurations = 60 Days
- Open Ports = 60 Days
- Web Application Headers = 60 Days
- Patching Cadence = 90 Days
- Insecure Systems = 60 Days
- Server Software = 60 Days
- Desktop Software = 65 Days
- Mobile Software = 65 Days
- DNSSEC = 60 Days
- Mobile Application Security = 1 Year
- Web Application Security = 60 Days
- DMARC = 60 Days
- Domain Squatting = Not applicable
User Behavior
- File Sharing = 60 Days
- Exposed Credentials = Not applicable
Public Disclosures
- Security Incidents = Ratings-impacting events have a 120-day half life starting from the effective date. The impact reduces by half after 120 days, and then steadily minimizes. Individual events completely stop impacting the rating after 2 years.
- Other Disclosures = Not applicable.
- July 10, 2024: The Patching Cadence lifetime is 90 days.
- January 31, 2024: The Patching Cadence lifetime is subject to change for the 2024 RAU.
- December 12, 2023: Incorporated 2-year lifetime from RAU 2023 for Security Incidents.
Feedback
2 comments
You need to update the lifetime on Patching - thanks
We will update the documentation on Patching Cadence lifetime when the 2024 Ratings Algorithm Update goes into effect - ETA July 10.
Please sign in to leave a comment.