Secure Site Pro SSL, Secure Site Pro EV SSL, and Secure Site EV certificates provide access to a vulnerability assessment service. This vulnerability assessment service allows you to identify and act against the most exploitable weaknesses on your website. To learn more about the benefits of Secure Site Pro and Secure Site EV certificates, see Pro TLS/SSL Certificates and Secure Site Certificates.
Vulnerability assessment is a cloud service, so there is nothing to install. After we issue your Secure Site Pro or Secure Site EV certificate and you enable vulnerability assessment for the order, you can start using the service to scan the domains on the certificate.
Vulnerability assessment helps you:
Keep your website off the blocklist that Google, Yahoo, Bing, and other search engines create for sites found with malware.
Reduce the risk of bad actors finding and attacking your site.
Identify the weaknesses on your website that are most likely to be used for malicious attacks.
Quickly remediate these vulnerabilities, making it easier to secure your site.
Vulnerability assessment includes:
An automatic weekly scan for vulnerabilities on public-facing web pages
An easy-to-read actionable report identifying critical vulnerabilities that you should investigate and informational items that pose a lower risk
An option to rescan your website to confirm that vulnerabilities were fixed
When you enable DigiCert’s vulnerability assessment service, DigiCert scans the domains on the certificate and generates the vulnerability reports using these two ratings:
DDI rating is a Digital Defense curated CVE scoring.
Generally, it aligns with CVE, but in some cases, it displays higher or lower severity based on exposure, such as internal vs external.
PCI rating is the scoring.
It shows PCI pass/fail for vulnerabilities and if assets are compliant based on the vulnerability pass/fail scoring.
Important
The vulnerability assessment does not replace PCI-compliant vulnerability scans. The service complements existing protection with an automatic weekly scan and a report of the most critical vulnerabilities.
Vulnerability report | Severity ratings |
|---|---|
DDI |
|
PCI |
|
The vulnerability assessment service pulls information about your domains into CertCentral, where you can view details about any discovered vulnerabilities to quickly identify exploitable weaknesses and take corrective action for your domains. You can also download reports, get notifications, and rescan your website to help confirm that vulnerabilities were fixed.
By default, the assessment service scans domains on the order once weekly for as long as vulnerability assessments are enabled. You can also manually queue and rescan a domain anytime. To prevent scanning altogether, disable vulnerability assessments for the certificate order.
The vulnerability assessment service only scans the highest-level domains secured by the certificate. The table below shows examples of the domains the service scans when securing domains at various levels: base domains, first-level subdomains, and second-level subdomains.
Certificate A’s secured domains:
| When a certificate secures base domains and first-level subdomains, the service only scans the base domains. In this example, the certificate secures two base domains and two first-level subdomains. So, the service scans only the base domains. |
Certificate B’s secured domain:
| When a certificate does not secure a base domain, the service scans the subdomains at the next lowest level. In this example, the certificate secures a first- and second-level subdomain. So, the service scans only the first-level subdomain. |
Certificate C’s secured domains:
| When a certificate secures multiple subdomains at the same level, the service scans all the subdomains. In this example, the certificate secures three first-level subdomains and one second-level subdomains. So, the service scans all the first-level subdomains. |