The vulnerability confidence rating is a new concept introduced in Acunetix v13. The confidence rating percentage gives an indication of how confident Acunetix is that the vulnerability exists.
There are several aspects that can affect vulnerability existence confidence. These include the following:
- Some vulnerabilities can be detected using techniques that make the detection more accurate.
- Other vulnerabilities are more prone to be false positives due to the nature of the vulnerability or the way that the vulnerability is detected.
- Vulnerabilities detected using AcuSensor are very unlikely to be false positives.
- Most out-of-band vulnerabilities detected using AcuMonitor have a very high accuracy rate, too.
The confidence rating gives an indication of how accurate the detection of the vulnerability is. The confidence rating can be one of the following:
- 100%: Acunetix is 100% confident that the vulnerability exists. Such vulnerabilities can be relayed directly to the development or administration teams for fixing.
- 95%: Acunetix is pretty sure that the vulnerability exists, however, due to the nature of the vulnerability, it could not fully confirm its existence. These vulnerabilities can usually be relayed to the developers too but might require some manual checking first.
- 80%: Due to the way that these vulnerabilities are detected, they are more prone to be false positives. They require manual verification before being relayed to the development team for fixing.
We made it a point not to include any vulnerability checks where the confidence level is less than 80%. In addition, we are constantly looking for new techniques to improve the confidence level of existing Acunetix vulnerability checks.