Effects of Customization
If you choose the Advanced Rating Methodology, you will have one consistent rating across both sites and applications, and you will be able to set priorities for your sites to assist in determining where to apply your resources for remediating vulnerabilities.
If you choose the Legacy Rating Methodology, vulnerabilities identified on your Applications will be rated based on risk (impact and likelihood) but vulnerabilities identified on Sites will be rated based on severity only. It is not possible to set priorities for sites under the Legacy Rating Methodology.
Please see "How Ratings are Determined" for an example of the effect of setting site priority.
Setting a custom policy for an asset or group of assets allows you to override the TRC-determined Rating and/or set the CVSSv3 factors values as you choose for the specific vulnerability class or classes that are customized. For each vulnerability class, you can choose to accept the risk, or you can set the custom rating for that class as you choose. The WhiteHat rating will still be visible in the Custom Rating Policy page, and will used to determine the WhiteHat Security Index value and PCI Compliance status for that asset, but your custom rating and/or custom CVSSv3 value will be reflected in your findings pages, in your dashboards, and in your reports.
These changes will affect all the assets (or groups of assets) selected.
In addition to creating a custom policy that will accept or set the rating for a given vulnerability class across a selected set of assets, you can also either accept or set the rating for a specific vulnerability based on the vulnerability ID. Making this change will not affect the rating of any other vulnerability of the same vuln class, even if it’s located in the same asset; the change will affect only the selected vulnerability. As with rating policies, the change will affect your dashboard and findings along with many reports, but the WSI Report and the PCI 3.2 Compliance Report will be based on WhiteHat or PCI standards, respectively.
Vulnerabilities with custom ratings will show a "control panel" icon next to the rating: The same icon will be visible under "quick actions," and selecting it will show you the original rating, and if it was customized by a policy it will show you the policy in effect.
The Executive Summary and Asset Summary Reports will include the customized vulnerabilities at their custom values; Vulnerabilities with custom ratings will have the notation "(customized)" following the rating in the Vulnerability Details report. Custom values for CVSSv3 ratings will be displayed in the Vulnerability Details report and the Attack Vector report.
The WhiteHat Security Index Report, Security Audit Report, and the PCI 3.2 Compliance Report will use the WhiteHat ratings and the PCI standards, respectively, and will not be affected by vulnerability customization.