mailing list archives
Re: smaller errors eroding situational awareness.
From: Christian Heinrich <christian.heinrich () cmlh id au>
Date: Wed, 21 Aug 2013 10:16:20 +1000
To reuse the PCI DSS v2.0 Requirement 6.2 example, the core issue is
that "... a vendor-supplied patch classified by the vendor as
"critical"" and in this circumstance the source of truth is the
"vendor" and not Nessus.
In addition, Nessus (or any other product implemented by an ASV) may
have the incorrect CVSSv2 Base Score listed e.g.
On Sat, Aug 17, 2013 at 5:36 AM, Ron Gula <rgula () tenable com> wrote:
Examples like this are why I push the "exploitability" field as a form
of prioritization for vulnerabilities. I've seen to many organizaitons
debate a CVSS score with our support team so they can get it moved off
of their mandate to patch everything with a CVSS score of X or higher.
Dailydave mailing list
Dailydave () lists immunityinc com