In reviewing a vulnerability scan report, what type of result indicates a legitimate issue was not reported?

A false negative is identified as a situation where a vulnerability scan fails to detect an actual vulnerability or issue that exists in the system. This situation arises when the scanning tools or methods do not identify a legitimate security flaw, potentially leaving it unaddressed and creating a risk for the organization.

In the context of vulnerability assessments, recognizing a false negative is critical because it means that there is a genuine threat that remains undetected, which can lead to exploitation by attackers. Organizations need to ensure their scanning tools are accurate and comprehensive to minimize the risk of false negatives.

In contrast, other terms, such as true positives (indicating correctly detected vulnerabilities) and false positives (indicating reported issues that do not really exist), do not represent the failure to report an actual issue. True negatives indicate accurate assessments where no vulnerabilities are found on known secure systems, which also does not relate to unreported legitimate issues. Therefore, false negatives pinpoint the exact concern of a missing legitimate vulnerability in scan reports.