Understanding the Legacy Rating Methodology

Black Duck strongly recommends that customers utilize the Advanced Rating Methodology. This rating methodology allows sites and applications to be evaluated using the same standards, and reports based on the Advanced Rating Methodology will use the same rating scale for both sites and applications. In addition, the Advanced Rating Methodology allows customers to set priorities for their sites to assist in prioritizing the remediation of vulnerabilities according to business needs.

In the Legacy Rating Methodology, sites and applications are evaluated differently: sites are rated according to Severity, and applications are rated according to Risk. (For more information on Risk, please see Understanding the Advanced Rating Methodology.)

The Legacy Rating Methodology does not incorporate the site priority in its ratings.

Severity reflects the amount of damage that could be done to your business if a particular vulnerability is exploited. Severity is described as informational, low, medium, high, critical, or urgent. (An informational vulnerability reflects a situation where best practices may not be being followed, but no actual vulnerability is currently present.) In the Legacy Rating Methodology, vulnerabilities found on sites are rated according to the Severity of the vulnerability. This will be reflected in the findings pages, in the dashboard, and in your reports.

Vulnerabilities identified in Sites will also have a Threat level reported under "Score" in the Vulnerability Details page. See Understanding Threat for more information.

To change your rating methodology, please see "Changing Your Rating Methodology."

For user guides and additional information, log on to the Black Duck Community.

To provide feedback on the user documentation, please email docs@whitehatsec.com. Thank you!