We at Rapid7 are committed to providing our customers with the best, most accurate vulnerability detection and remediation information. To better serve you, starting October 28th, 2015, Rapid7 will begin generating content for Nexpose in a way that will provide greater visibility into risk. This change will start with content generated for Adobe, Debian and Ubuntu and eventually all supported platforms will transition to this approach. For the end user the benefit is more accurate representation of risk and better data to prioritize remediation steps.

As a customer you may be asking, how will this change impact me? Under the historical approach vulnerability results are from the perspective of the Vendor, via their advisory, which may contain one or more vulnerabilities. Unfortunately this masked actual risk in a way that was not anticipated. As an example taken from an Ubuntu advisory, USN-2735-1, you will notice this one advisory addresses 8 vulnerabilities (CVE-2015-1291, CVE-2015-1292, CVE-2015-1293, CVE-2015-1294, CVE-2015-1299, CVE-2015-1300, CVE-2015-1301, CVE-2015-1332).

Historically we would have taken the highest CVSSv2 score out of those 8 (which in this case is a 7.5) and reported this as one vulnerability with that score. Going forward, Nexpose will report the score per vulnerability giving you greater visibility into the risk within your environment through an increase in the detail of vulnerability results.

We will publish a supplementary blog post with each platform that move to the vulnerability-centric approach.