We have a situation where a Microsoft bulletin was published earlier this month. However, Qualys shows that the vulnerability was published in April 28th.
We have set a 90 window to resolve vulnerabilities.
Based on Qualys' published date of the vulnerability we are at the end of our 90 day window, we should have over two months left, according to Microsoft. This impacts our score card.
The question is-can Qualys be configured to start the 90 day window based on Microsoft's patch release date rather than the vulnerability published date?
Thank you and appreciate any feedback on this-