Vulnerability Scoring

Vulnerability Scoring Overview

Pulsar incorporates a basic vulnerability scoring system designed to help Red Teams and Pentesters prioritize assets during the reconnaissance phase. Unlike comprehensive Vulnerability Management Platforms, Pulsar focuses on identifying high-level "weak points" and infrastructure relations to highlight where an organization's perimeter is most brittle.

The scoring mechanism acts as a heuristic to guide manual investigation rather than a definitive risk assessment.

How Scores are Calculated

Pulsar calculates scores by correlating discovered asset metadata with known vulnerability databases and configuration weaknesses. The process follows these stages:

1. Service & Version Detection: Using integrated tools like Nmap and WhatWeb, Pulsar identifies running services and their specific version strings.
2. CVE Correlation: Detected versions are cross-referenced against the NVD (National Vulnerability Database) data feed.
3. Configuration Auditing: Tools like SSH Audit are used to identify weak cryptographic settings or outdated protocols that contribute to the overall risk score of an asset.
4. Asset Aggregation: Scores are aggregated from the service level up to the DomainInstance and AssetInstance. This allows you to see which subdomains or cloud resources pose the greatest cumulative risk to the parent organization.

Scoring Factors

| Factor | Description | Source | | :--- | :--- | :--- | | CVE Severity | Base scores derived from CVSS metrics found in the NVD feed. | NVD Data Feed | | Service Exposure | Identification of sensitive ports or services exposed to the public internet. | Nmap / ZMap | | Crypto Weakness | Outdated SSH versions, weak ciphers, or expired certificates. | SSH Audit / Nmap | | Resource Relations | The proximity of a vulnerable asset to other critical infrastructure (visualization-based). | Internal Logic |

Interpreting Vulnerability Data

Vulnerability data is accessible via the Pulsar Web UI and the REST API. Each discovered vulnerability is linked to its respective asset to show the "weak point" in context.

Viewing Scores via API

To retrieve vulnerability data for a specific asset programmatically, you can query the Asset endpoints.

Request: GET /api/assets/{id}/

Sample Response (JSON):

{
  "id": 105,
  "hostname": "dev.example.com",
  "vulnerability_score": 7.5,
  "findings": [
    {
      "title": "Outdated SSH Version",
      "severity": "Medium",
      "source": "SSH-Audit",
      "description": "The server is running an obsolete version of OpenSSH."
    },
    {
      "title": "CVE-2021-XXXX",
      "severity": "High",
      "cvss": 8.1,
      "source": "NVD"
    }
  ]
}

Optimization and Accuracy

Because Pulsar is designed for "wide and uncharted" scopes, users should keep the following in mind to ensure score accuracy:

• NVD Updates: Ensure the local NVD Data Feed is synchronized to catch the latest published vulnerabilities.
• Scan Policies: The depth of scoring is directly tied to the scan policy. A "Full Scan" that includes version detection will produce more accurate scores than a "Discovery" scan.
• Confidence Levels: Pulsar provides basic scores; secondary manual validation is always recommended to filter out false positives generated by version suppression or backported security patches.

Identifying Infrastructure Weak Points

One of Pulsar's core strengths is Data Visualization. By combining vulnerability scores with network footprinting, the platform allows users to:

• Identify "Clusters of Vulnerability" where multiple weak assets share the same subnet or TLD.
• Trace how a single vulnerable cloud resource might provide a path into the wider corporate infrastructure.
• Visualize the relation between subdomains and their underlying IP space to find overlooked entry points.