- How vulnerability scanning works
- Inventory Management and Risk Scoring
- Scan Eligibility: What Gets in the Queue
- Queueing and Prioritization
- The Scanning Process
- Auditing and Results
- User Control: How to Stop Scanning an Asset
- Scan limits
Efficient vulnerability management begins with knowing what you have and how critical it is. Savant Vista runs ongoing vulnerability scans against your approved assets and surfaces findings in a prioritized, filtered view. This guide will walk you through the process of prioritizing your assets for the vulnerability scanning process.
How vulnerability scanning works
Once you approve assets in your inventory, Savant Vista automatically schedules vulnerability scans based on your account’s scan frequency (weekly, monthly, or quarterly). Scans run against the assets in your inventory up to the asset quota limit for your tier. Quota resets on this scan frequency.
Scan results appear in the Security Inbox alongside findings from your Bugcrowd testing programs. Each finding is linked to the specific asset it affects. Your Bugcrowd account manager will need to configure vulnerability scanning for your security programs.
Vulnerability scanning covers externally reachable assets only. It does not test internal or non-publicly routable infrastructure.
Inventory Management and Risk Scoring
Before an asset can be scanned, it must be properly identified and prioritized within your Asset Inventory.
Reviewing Assets
Use the Asset Inventory dashboard to see a bird’s-eye view of your total assets, such as Domains, Networks, and Services.
Assigning Criticality Scores
Vulnerability scanning is prioritized based on the Asset Criticality Score (Critical to Low). Assets with higher criticality scores will be prioritized.
Approval Workflow
Ensure assets are in the Approved status to be eligible for automated security programs.
Scan Eligibility: What Gets in the Queue
For an asset to be automatically queued for scanning, it must meet two specific conditions:
- Status is “Approved”: Only assets explicitly marked as Approved in the inventory are eligible.
- Asset Criticality is Present: An asset must have an assigned Asset Criticality score to enter the workflow (e.g., Critical, High, or Moderate).
Queueing and Prioritization
The system manages the scanning list through an ongoing, two-step process:
- Ongoing Queueing: Every 5 minutes the scheduler checks for new eligible assets and adds them to the queue.
-
Dynamic Prioritization: The queue is automatically reordered based on two levels:
- Primary (Criticality Score): Assets with the highest Asset Criticality Score are moved to the front of the line.
- Tie-Breaker (Asset Age): If multiple assets have the same score, the oldest asset (based on the Created at date) is scanned first.
The Scanning Process
The transition from queued to scanning depends on your specific settings and limits:
- Scheduled Frequency: Assets are not scanned immediately upon being queued; they are sent to scan based on your organization’s set frequency, such as weekly, monthly, or quarterly. Weekly is the default for most customers.
- Batching and Quota: When the scheduled time arrives, the scheduler sends a batch of the highest-priority assets while respecting your available scan quota.
- In-Progress Monitoring: You can view live scans in the Vulnerability scans tab, which displays an In Progress badge and the next scheduled scan date.
- Manual Override: If you need an immediate scan outside of the schedule, you can click Vuln. scan now in the Asset Details on any individual asset.
Auditing and Results
Once a scan is triggered or completed, you can track the activity through multiple views:
- Activity Logs: Filter by the event Vulnerability scan updated to see a timestamped audit trail of when specific assets were scanned.
-
Asset Details: The Asset Details page shows:
- Vulnerability scans: The status of the vulnerability scan.
- Last vuln. Scan: The timestamp of the last scan.
| Status | Meaning | Action Required |
|---|---|---|
| In Progress | Scan is currently running. | Wait for completion. |
| Completed | Scan finished successfully. | Review the Vulnerability Detections count. |
| N/A | Initial scan completed. | Check Next scheduled scan date for next scheduled scan. |
User Control: How to Stop Scanning an Asset
To remove an asset from the scheduler’s queue (future scans only), you must manually make it ineligible by:
- Un-approving the asset: Changing its status from Approved.
- Removing the Asset Criticality: Clearing the score removes it from the prioritization logic.
- Archiving the asset: Moving the asset to the Archived section.
Considerations
- The above actions will not stop an in-progress scan. It will only lower the asset’s priority in the queue, potentially resulting in it not being scanned if your quota is exhausted by higher-priority items.
- Monitor your quota and if your Weekly scan quota available is near zero, visit Bugcrowd Support and create a support ticket to inquire about increasing your limit.
Scan limits
The number of assets scanned per cycle depends on your account tier. If you have questions about your current limits, visit Bugcrowd Support and create a support ticket.
Standard accounts include vulnerability scanning for 10 assets per week. Former Informer customers retain their existing scan configuration at a larger volume.