When you bring in your vulnerability data into Cisco Vulnerability Management, you may see that some of the findings are classified as Informational and have a score of 0. Cisco Vulnerability Management does not apply a score to any finding that does not have a CVE/CWE or WASC Identifier associated to it.
To view findings that are classified as Informational, expand the Classification filter under the Vulnerability Filters on the right hand side of the Explore page:
On the Vulnerabilities tab, you’ll see all of the findings that have come in that are considered Informational. Some of these findings may have a score of 0, but may still pose reputational or brand risk to your environment. These findings may include expired SSL certificates or End of Life software.
Many of our customers will create risk meters for the items they want to keep track of and have their remediation teams address as well. Tracking these in a separate risk meter is one way to track them, but you may also want them to count in the risk score calculation for an asset/risk meter so that they bubble up as well.
Adjusting the Score of Informational Vulnerabilities
From Within the UI...
While these may not pose more risk than the high risk findings that are scored, you may wish to adjust the score so that these findings can be remediated based on the policies you set forth internally. Vulnerability scores can be adjusted by any user that has Administrator, Write or custom access with the Vulnerability Score Override permission set. This permission should be granted to a limited amount of users as scores can be adjusted on any vulnerability, not just ones that are considered Informational.
To adjust the score in the UI, you can select the checkbox for the vulnerability, click the Edit menu and select Score:
You will see the below menu which will explain that by adjusting the score of the vulnerabilities you are removing the vulnerability from the automatic scoring algorithm and the score will NOT be auto-adjusted dynamically.
Please keep in mind that when you override a score, it is for a specific finding(s) on a specific asset(s). If you have a new asset that come in to Cisco Vulnerability Management with this finding, the score will not be automatically set to your adjusted score and will need to be adjusted as well.
From the API...
You can also override the scores of vulnerabilities by using the vulnerability API endpoint. Documentation can be found in our API guide here.
Reach out to your Customer Success Team for further discussion on Informational findings and score overrides.