- January 4, 2024: Clarified conditions for N/A risk vector grade.
- December 4, 2023: Finding lifetime definition link changed to Finding Lifetime section.
- November 17, 2023: No/low findings definition.
The Mobile Software risk vector assesses the supported or unsupported status of the software version. The usage of mobile software is not required to improve an organization's cyber security posture.
Grading of this risk vector is based on the estimated number of users. Each finding in this risk vector can be associated with one or more estimated users.
|Details & Values
|The number of days a finding will impact the risk vector grade, assuming nothing changes in the future and the finding is not updated with new information. Learn why findings have a decay and lifetime period.
|Number of Findings: Low or None
The N/A grade is assigned when there are no findings, or when the estimated number of users detected across all Mobile Software findings falls below a minimum threshold (see below).
The grade changes to N/A when the estimated number of users falls below the threshold. To avoid sudden fluctuations, the grade changes from N/A to a letter (A to F) when the estimated number of users has stayed above the threshold for 65 days.
The Mobile Software risk vector is considered to have low finding visibility when the estimated number of users on all active findings falls below the minimum threshold.
The threshold is determined as follows:
Default: – “N/A” Risk Vector Grade
The N/A grade in Mobile Software has no negative impact on the rating. It is equivalent to a perfect grade.
|The Bitsight platform regularly checks for new observations. Bitsight findings are updated as these observations change, e.g., newly observed Diligence findings or an existing finding was remediated.
|Automated Scan Duration
|The duration of a regularly scheduled finding refresh, as the Bitsight platform checks for new observations.
|User-Requested Refresh Duration
|The duration of a user-requested refresh, which initiates a refresh of eligible findings upon request. This is recommended when a change in the finding is expected, such as when a finding has been remediated.
|The time before a recognized finding starts to impact ratings.
|There is a grace period of 28 days to allow for validating and updating software packages.
|Out of 70.5% in Diligence.
The operating system (OS) and browser are graded independently from one another based on their support status. The finding grade is calculated from a combination of the OS and browser grades.
There is a grace period of 28 days to allow for validating and updating software packages.
- During the grace period, findings have a FAIR grade.
- FAIR findings for this risk vector do not have an impact on the rating.
- Findings observed after the end of the grace period and less than 365 days after the end of support have a WARN grade.
See the following resources for more information: