- July 10, 2023: Updated Lifetime & Decay section for clarity.
- March 3, 2023: Clarification on the difference between duration and lifetime & the ratings impact of Patching Cadence; A breakdown of Patching Cadence concepts.
- October 20, 2021: Ratings Algorithm Update 2021.
Patching Cadence measures how long, on average, known vulnerabilities existed in an organization unpatched. This average time-to-remediate is weighted according to the severity of the vulnerability, so more severe vulnerabilities have a greater impact on the risk vector grade.
Patching Cadence measures an average, meaning that the number of vulnerabilities detected and the number of assets at an organization do not directly influence the grade. Companies with many Patching Cadence findings can have an excellent risk vector grade, provided the vulnerabilities are remediated quickly.
All vulnerabilities that can impact Patching Cadence are classified as confirmed.
Understanding Ratings Impact
- Both remediated and unremediated findings impact the grade, but only the unremediated findings can be affected by a company’s actions.
- Unremediated findings only impact the grade if they have been active for a time period that is longer than the current average remediation time. Otherwise, new unremediated findings would artificially drive down the average remediation time.
- As long as a finding remains unremediated, its duration continues to increase and its impact on the risk vector grade becomes increasingly negative.
- Because Patching Cadence represents an average, a quickly-patched finding has a positive impact on the letter grade, while a finding that takes longer-than-average to patch has a negative impact.
- The impact–positive or negative–of a given finding is greatest on the day the vulnerability is patched. As soon as a finding changes from unremediated to remediated, its duration stops increasing. The impact of the finding then begins to decrease each day, reaching zero 300 days after the Last Seen date.
Patching Cadence Concepts
For a list of all data fields in Patching Cadence, see Patching Cadence Findings.
For information about scanning and refresh of findings, see How is the Diligence Risk Category Calculated?
|Vulnerability Severity||The seriousness of a vulnerability; its innate potential for harm. (See Vulnerability Severity for details.)|
|Duration||The number of days a vulnerability is present on a given asset before the vulnerability is remediated. (See Duration for details.)|
|Lifetime||The number of days a finding continues to impact the grade after the vulnerability has been remediated. The lifetime of Patching Cadence findings is 300 days. (See Lifetime for details.)|
|No Findings||Letter grade “A” is assigned if there are no findings for this risk vector throughout its lifetime.|
More severe vulnerabilities have greater influence on the Patching Cadence grade. As mentioned, Patching Cadence is based on the average duration (time to patch), and severity is used as a weighting factor in that average.
Example: Consider two vulnerabilities with different severities–one is “minor” and the other is “material” severity. If both vulnerabilities were patched in the same number of days, the “material” vulnerability would have significantly more impact on the Patching Cadence grade.
Duration is the time a specific vulnerability remains unpatched on a specific asset. It is the number of days between when an asset is first observed to be vulnerable and when the asset is last seen to be vulnerable.
It can take up to 60 days for a vulnerability to be considered to be remediated. However, the ratings impact is always calculated as if it were remediated when the vulnerability was last seen. A vulnerability on a given asset is considered remediated if:
- A subsequent observation confirms that the vulnerability is not present on the asset. (Bitsight detects the patched asset.)
- The vulnerable asset has not been reachable for 60 days. (The asset was taken offline.)
A remediated finding will be returned to non-remediated if the same vulnerability is observed again on the same asset.
- If the vulnerability is re-observed within 180 days of the Last Seen date, the duration of the finding is extended and the Last Seen date is updated accordingly. (The vulnerability has been unpatched since the previous observation.)
- If the vulnerability is re-observed more than 180 days from the Last Seen date, a new duration period is started from the current observation. (The vulnerability was patched and is now vulnerable again.)
Lifetime & Decay of Patching Cadence Findings
A Patching Cadence finding impacts the risk vector grade for 300 days after it is remediated. The relative weight of the finding decays linearly over this period, and the finding's impact on the average remediation time may be reduced.
After all Patching Cadence findings are remediated, the average remediation time is adjusted so that it decays linearly during the remaining finding lifetime, enabling a corresponding increase in the risk vector score. This linear decay starts 60 days after the Last Seen date of the last vulnerable finding.
Patching Cadence measures average time-to-patch. Lifetime is how long each individual time-to-patch duration continues to be included in the average. This means that the 300-day lifetime period is not inherently negative (or positive) for the risk vector grade. The positive impact of a quickly patched vulnerability lasts throughout the lifetime period, just like the negative impact of a slowly patched vulnerability.