1 Reply Latest reply: May 23, 2012 1:10 PM by ktodd RSS

Variance in findings between Qualys and Tenable PCI ASV Scan?


We are migrating from Qualys to Tenable's PCI Perimeter Scan service and have some questions about findings we are seeing in our first Tenable PCI ASV scan, but not in a current Qualys PCI ASV scan of the same IPs.


For example, Qualys rates the following finding as a Low, while Tenable rates it as a Medium.  Why is there a difference?


Plugin ID 20089 - F5 BIG-IP Cookie Remote Information Disclosure

Risk Factor


CVSS Base Score
5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
Plugin Information:
Publication date: 2005/10/26, Modification date: 2011/03/11


Qualys rates this as a Low PCI Finding. 


F5 BIG-IP Load Balancer Internal IP Address Disclosure Vulnerability

QID:     86725     CVSS Base:     2.6

Category:     Web server    CVSS Temporal:     2

Port/Service:     443 / Web server (tcp)    False Positive:     N/A

Bugtraq ID:     -

CVE ID:     -

Vendor Reference:     -

Last Update:     02/03/2010 at 15:43:56


It is expected that all PCI ASVs are identical in scanning parameters.  Do we need to request exceptions for the variances or does Tenable need to update it's rating?

  • Re: Variance in findings between Qualys and Tenable PCI ASV Scan?

    Hi Chris,


    The difference in severity and scoring may be that for the CVSS equation, Tenable has the attack complexity set to “Low” where it would appear that Qualys may possibly have it set to “High” (hence the 2.6 score based on CVSS2 AV:N/AC:H/Au:N/C:P/I:N/A:N).  Since there's no CVE/NVD entry for the vulnerability, each ASV "must provide its own risk score using the CVSS scoring system", per the ASV Program Guide.  In this case, if the vulnerability is not relevant to your environment or you would otherwise feel that an exception is warranted, the finding can be disputed in the PCI Scanning Service interface and taken through the dispute remediation process.