AnsweredAssumed Answered

Ratings inconsistency

Question asked by VMWiz on Apr 10, 2014

We are a Qualys VM customer, and have a site that has weak ciphers present on it. In Qualys VM, this is rated as a Severity 3 vulnerability (out of 5) and is prioritized for remediation based on that severity. When news of the HeartBleed vulnerability broke yesterday, someone told one of our executives to use the SSL Labs site to see if his sites were vulnerable. While they were NOT vulnerable to HeartBleed, he did freak out because the site received an "F" due to the weak ciphers. It seems to me that the rating scales should be consistent among the products that Qualys provides. So the question becomes this: Are weak ciphers a severity 3 as Qualys VM states, or are they a 5 as SSL Labs would seem to infer? Anyone else running into this? Thanks!!