A vulnerability detection has a lifecycle. I have described this many times for new administrators, and recently included the information in a post response which prompted me to create this document in hopes I will be making the information easier to find.
Going into this, let's all try to remember three very important facts:
- that all detections are a snapshot in time, a momentary capture of information that could change the very next moment.
- detections are entered in the database keyed by a specific combination of IP, QID and Port.
- Example: Many detections that report on port tcp/80 will also report on tcp/443. These are two detections made unique by the tcp port.
- Vulnerability management is a never ending cycle of of trust, but verify.
Detection Statuses Explained (in my own words):
NEW = First Time Detected (ever), occurs once, and only once for a specific combination of IP, QID and Port.
ACTIVE = Detected in 2 or more consecutive scans on a specific combination of IP, QID, and Port.
- This status is reported on the next scan following a NEW or REOPENED status is reported and will continue to report until FIXED is reported.
FIXED = Not detected in the very last scan, on a specific combination of IP, QID and Port.
- This status can occur following NEW, ACTIVE or REOPENED and can be achieved multiple times over, hence the reason for Last Fixed Date.
- FIXED means the condition found previously was INACTIVE at the time of the most current detection scan.
REOPENED = First time detected following a FIXED status result on a specific combination of IP, QID and Port.
- REOPENED will appear only ONCE after a previous scan returned a FIXED status, all subsequent detections will be marked ACTIVE until FIXED is reported.
- This status can occur more than once, hence the reason for Last Reopened Date.
- IMPORTANT: Vulnerability detections scans are a snapshot in time. If you see a QID "flapping" between ACTIVE > REOPENED > FIXED additional research into the detection and asset status is needed.
NEW, ACTIVE, REOPENED = ACTIVE, unmitigated, potentially exploitable risk.
FIXED = INACTIVE, potentially exploitable risk was not detected in the last detection scan occurrence.