AnsweredAssumed Answered

QG Severity Rating vs CVSS vs Microsoft

Question asked by rajasekhar.m.reddy on Apr 28, 2013

Hi All,


We are trying to understand how Qualys defines severity. We are having 2 diffrent rating for an organization with respect to Patch Management Team & Vulnerability Assessment Team.


Patch Management defines/rates a patch based on the importance of the application/software that is being used across the organization. Eg: Office related patches are rated as Low on servers when compared to Microsoft's Critical/Important.


As of now we are looking forward to standarize the patch ratings across MS, QG & our internal teams. So we need some help on understanding Qualys Severity (1 to 5) and Microsoft (Critical, Important, Moderate & Low).


Is these all ratings coming from Common Vulnerability Scoring System or  some other orgaizational standards?


Also the same in the case of Policy Compliance, can we define a severity for each control based on Operating System? Looking forward to discuss on this.


Thanks & Regards,