Anyone Expierience Risk Scores jumping?

Has anyone experienced assets risk scores jumping then when you scan them have the exact same number of vulns but two or three times lower in risk score?

2 Likes

I have heard of similar situations where from the time between two different scans the actual risk per vulnerability has been raised or lowered but it doesn’t seem like an often occurrence. Do you have specific examples of the vulnerabilities themselves?

For example when you look at the two scan dates, does the actual risk per the vulnerability change or do they stay the same and only the total asset risk score change?

Also something to consider is if you have dynamic tagging for criticality tags and risk score adjustment turned on. If an asset was previously being tagged as a very high criticality asset before and then somehow dropped that tag then the risk would have been cut in half in theory.

1 Like

Yea we are having the same issues. We have assets showing a 1 or 2 vulns at a risk score of 850 but in the asset details it’s showing a risk score 49k. Created a ticket with support but I think it has something to do with the recent update release
https://docs.rapid7.com/release-notes/insightvm/20220803/

Yes, i got word from an engineer that the release to .154 from yesterday would fix it.

1 Like

Thanks, @john_hartman , i remembered the use of tagging using criticality and we arent using those yet, but i did look at first. We just found out it was a bug, it should be fixed now with the recent version update from yesterday.

1 Like