Overview
Automox has improved how vulnerability severity data is calculated and displayed for third-party applications. These enhancements increase accuracy, expand coverage, and reduce false positives by using version-aware CVE mapping powered by VulnCheck.
This article explains how third-party severity data works, what changed, and what you can expect in your environment.
Environment
- Automox Cloud Platform
- Third-Party Patching
- Applies to all customers using Automox-supported third-party applications
No configuration changes are required.
What Changed
Expanded Third-Party Coverage
Severity data is now available for all Automox-supported third-party applications. Previously, severity data was limited to a smaller subset of titles.
New Primary Data Source: VulnCheck
Automox now uses VulnCheck as the primary source for:
- CVE metadata
- CVSS scores and severity ratings
- Affected CPEs (vulnerable version ranges)
- Remediated CPEs (when available)
This data is ingested daily and normalized to ensure consistent processing across all third-party packages.
Version-Aware CVE Mapping
The Automox console now displays only CVEs that are:
- Relevant to the installed version
- Explicitly remediated by the update being applied
This prevents historical or unrelated CVEs from inflating severity counts.
How Third-Party Severity Data Works
Automox evaluates each third-party package version using three questions:
- What CVEs is this version vulnerable to?
- What CVEs does this version explicitly remediate?
By separating “vulnerable to” from “remediates,” Automox avoids mapping packages to CVEs that do not apply to the installed version.
This enables you to:
- View accurate exposure reporting
- Build reliable severity-based policies
- Align more closely with external vulnerability scanners
Why This Matters
- Reduces False Positives: You no longer see CVEs that do not apply to the installed version. This reduces noise and improves prioritization.
- Enables Reliable Severity-Based Policies: Policies targeting Critical, High, or KEV vulnerabilities now operate on version-specific data.
- Improves Scanner Alignment: CVE counts and severity levels more closely align with external vulnerability scanning tools.
Reduces Alert Fatigue: Cleaner vulnerability data supports clearer remediation decisions.
What to Expect in Your Environment
Severity-Based Policies May Behave Differently
Because severity data is now version-aware:
- Some patches that previously ran may no longer be in scope
- Additional third-party applications may now be included in severity-based policies
If a patch requires a restart, restart behavior remains consistent with existing Automox functionality.
Console Views and Reports May Change
You may notice changes to:
- CVE counts
- Severity levels
- In-scope items
These differences reflect improved accuracy, not increased risk.
Does This Change Patching Behavior?
No. There are no changes to:
- Patch deployment logic
- Approval workflows
- Scheduling behavior
- Restart policies
This update only affects how severity and CVE data are calculated and displayed.
Coverage Notes
- Coverage is strongest for CVEs from the past five years.
- All updates are automatically applied at the platform level.
No customer action is required.
Summary
Automox’s third-party severity data is now:
- Powered by VulnCheck
Version-aware and remediation-specific - Continuously improving
You benefit from clearer exposure reporting, fewer false positives, and more reliable severity intelligence across your environment.