Skip to content Skip to site navigation Skip to service navigation

Qualys Governance - Outcomes and Decision Log

The Qualys governance group meets at least once per month and decides strategic direction for the program, reviews requests for global QID exclusions, and makes decisions about modification of risk levels of QIDs. All of the decisions made in the meetings are updated on this page.

Qualys and Vulnerability Management Program Changes

November 2018
  • Purging of stale asset data:
    • ISO will now purge stale asset data after an asset has not been seen for 90 days vs. 180 days.
    • ISO will attempt to purge the data on, or around, the 25th of each month.
  • Agreement was made to promote the #iso-public Slack channel as an additional forum for the community to discuss Qualys instead of creating a new channel.
  • Agreement was made that the governance group will review requests to add Stanford unique TCP/UDP ports to the default ISO scan profile.
    • No additions were made as of yet.
  • Criteria established for reclassifying QID severity to a level 2. The criteria is:
    • The QID is information disclosure only AND
    • No action can be taken because the remediation is to apply firewall segmentation
  • Criteria established for globally excluding QIDs from ISO managed reports
    • ISO may choose to add a QID to the "ISO Managed Ignored QIDs" list only after the Qualys Governance group has come to an agreement that the risk level is low and that the QID is commonly a false positive. The QID is only ignored in the ISO provided monthly reports, but will remain on the asset itself.
  • The following QIDs were identified as being common false positives and have been added to the “ISO Managed Excluded QIDs” list:
    • 68521: NFS-Utils Xlog Remote Buffer Overrun Vulnerability
    • 66040: Statd Format Bug Vulnerability
    • 43393: IPMI 2.0 RAKP Authentication Remote
  • The following QIDs had their severity reclassified to level 2
    • 105459: EOL/Obsolete Software: SNMP Protocol Version Detected
    • 86476: Web Server Stopped Responding
    • 42414: (Intelligent Platform Management Interface (IPMI) Detected)
  • The following QID was removed from the “ISO Managed Excluded QIDs” list because it no longer met established criteria for being globally ignored.
  • September 21, 2023: The following QIDs were reclassified from Severity 3 to Severity 2 as they pose lower risk to Stanford's Network and also reflect our infrastructure's compensating controls:
    • 70009: NetBIOS Release Vulnerability
    • 70008: NetBIOS Name Conflict Vulnerability

Last modified September 20, 2023