Since the update we are now seeing First Found Date and First Found (number of days ago) on assets and vulnerability pages. When I look at vulnerabilities and what is out of compliance, we use the date “vulnerable since”. This new first found stuff appears to show how long the software, etc. has been on the asset whether or not it was actually a discovered/published/etc flaw. I understand this is supposed to provide info on “the number of days elapsed since a vulnerability was first found” per the email communication, but that is confusing as it wasn’t a vulnerability yet. For example, Microsoft Edge Chromium: CVE-2022-4135 Heap buffer overflow in GPU, was first published as a vulnerability around November 24, 2022. However, according to the first found information, it was first found 58 days ago, not 8 days ago.
I am hoping that someone smarter than me can tell what the actual significance is of this and what helpful/useful information it provides.
Another question is this; does the “first found” information now play into the risk strategies? Is risk score going to go up because it is now being seen as older than when the vuln was actually published?
The ‘First Found’ and ‘First Found On’ fields were added to provide some more context when viewing assets and vulnerabilities in the UI. Those fields are using existing information from the database, but it’s being presented incorrectly in the UI at the moment. The ‘First Found On’ date should match what you’re using for your current process (‘Vulnerable Since’), and the ‘First Found’ days ago shouldn’t be greater than the age of the vulnerability. We’re currently working on a fix for this issue and hope to have that displaying the correct information soon.
The ‘First Found’ date doesn’t have any impact on Real Risk scoring, which will still use the vulnerability publish date as an input. Folks can still use other data, such as vulnerability age, to drive reporting and compliance.
We shipped this fix with today’s product update, so once your console is updated to version 6.6.172 you should see the correct ‘First Found’ and ‘First Found On’ information on asset and vulnerability pages. Thanks for your patience and understanding!
Thank you, Justin. Just to be clear, the first found and first found on should properly reflect when it became a known or published vulnerability correct? And the date and number of days since will properly reflect that? I’m restarting the console now.
Great question. Those values will reflect when the instance of the vulnerability itself was detected on the asset, not when the vulnerability was published or added to the solution. There may even be multiple instances of a vulnerability detected at different times, and that will be reflected as well (you may, for example, find a vulnerability on multiple ports that have been scanned at different times).
I got a little ahead of myself. We fixed the issue on Asset pages (within the ‘Vulnerabilities’ table displayed), and are currently working on a fix for the Vulnerability pages (within the ‘Instances’ table displayed). I’ll follow up here when that’s also complete.
What about instances where “Vulnerable Since” is much further in the past than “First Found”? If “First Found” is the date the condition, whether known as a vulnerability or not, first appeared on an asset, how can “Vulnerable Since” be older than that?
Basically, we’re seeing vulnerabilities appear on asset scans that never appeared on those assets before, though they are scanned weekly, but the “vulnerable since” date in the report for that asset shows a date many months in the past.
Don’t quote me on this but I believe we are still seeing issues/errors in reporting the “first found” or “vulnerable since” date. This was supposed to be fixed in an update, but I’m noticing first found dates that should be much older. So this may play into what you are seeing. Again, I could be wrong, but something isn’t right with those dates (for us). At this point I’m just waiting.
Looks like it is working in the asset pages. Thanks for the updates!