Desktop Software Risk Vector: Core Overview Ingrid The Desktop Software Risk Vector looks at a desktop device’s software version and compares it with the latest and currently available software versions to determine if the device software is supported or out of date. Risk Category: Diligence Default Grade: N/A; This default grade does not have a negative impact on the rating. It is equivalent to a perfect grade. Current Rating Impact: 3% Finding Lifetime: 65 Days, with a 28-day grace period for remediation. Scan Cadence: This risk vector is not assessed using automated scans. Instead, our internal records are updated weekly based on data received from our partners. Eligible for Instant Reply? No. Bitsight identifies endpoint data from desktop devices, such as laptops, servers, and other non-tablet, non-phone computers within a corporate network that access the internet. The outgoing communications from desktop devices include metadata about the device's operating system and browser version. The Desktop Software risk vector targets end-user systems running on obsolete or unsupported browsers and operating systems, as upgrading to current versions is essential for resolving stability concerns, software bugs, and security vulnerabilitiesRecommendations for Managing the Desktop Software Risk Vector Search and identify unsupported desktop software, and then update the software to the latest version. Set up auto-update methods for critical desktop software. Insufficient information prevents Bitsight from identifying unsupported software. The use of software device management systems is recommended, along with integrating human processes that ensures systems in the organization are patched and the software is up-to-date. How is the Desktop Software Risk Vector graded?Grading is based on the number of observed devices. Each finding can be associated with one or more observed devices.When data is insufficient, this risk vector receives a N/A default grade. This occurs if there are no findings or if the device count falls below the required threshold.Observed Devices ThresholdThresholds ensure there is a sufficient statistical sample size for any company of any size. They are determined as follows: The number of observed devices is less than 5 (<5), or The number of observed devices is less than 100 (<100) and less than the number of employees divided by 1,000 (<employee_count/1000). July 21, 2025: OS & browsers list 19-JUL-2025 version. July 15, 2025: OS & browsers list 10-JUL-2025 version. July 8, 2025: OS & browsers list 03-JUL-2025 version. Related to diligence_risk_category desktop_software Related articles How are the Desktop Software and Mobile Software Risk Vectors Observed? How are Bitsight Security Ratings Calculated? Diligence Risk Category TLS/SSL Finding Remediation & Remediation Verification Finding Rescan: Asset Not Found and Assumed Remediated Feedback 6 comments Sort by Date Votes KyleP November 12, 2021 14:11 Where is this information collected? Are these devices discovered to be associated with the vendor/company or is this noting that the vendor/company simply allows connections from unsupported versions? -1 Ingrid November 12, 2021 14:41 Hello KyleP. Our data partners provide us with the user-agent string from endpoint clients that are loading the content, which includes information about the operating system, the device name (for mobile), browser information (IP address and cookie data). You can learn more here: How are the Desktop Software and Mobile Software Risk Vectors Observed? 0 Jose Magrinho March 25, 2024 16:53 Please, can we have a monthly update of " endpoint OS-browser versions list." ? 0 Ingrid April 01, 2024 18:08 Hello José. The OS-browser versions list is new as of February 2024. We are still working out the cycle on when and how often to update this. In the meantime, I will check on if there's a newer version available at the moment. 0 Sharoon Reyes May 24, 2024 13:09 Ingrid, if the issue gets remediated, what would the process be for updating the information on BitSight? Are you able to provide more information? 0 Ingrid May 28, 2024 18:41 Sharoon Reyes I think you may be referring to finding refresh, which is when the Bitsight platform checks for new observations and then update the findings as these observations change, e.g., newly observed Diligence findings or an existing finding was remediated.For the Desktop Software risk vector, we check our internal records on data received from our partners on a weekly basis. 0 Please sign in to leave a comment.