Dailydave mailing list archives

Previous By Date Next
Previous By Thread Next

Re: smaller errors eroding situational awareness.

From: Christian Heinrich <christian.heinrich () cmlh id au>
Date: Wed, 21 Aug 2013 10:16:20 +1000
Ron,

To reuse the PCI DSS v2.0 Requirement 6.2 example, the core issue is
that "... a vendor-supplied patch classified by the vendor as
"critical"" and in this circumstance the source of truth is the
"vendor" and not Nessus.

In addition, Nessus (or any other product implemented by an ASV) may
have the incorrect CVSSv2 Base Score listed e.g.
https://discussions.nessus.org/thread/4769

On Sat, Aug 17, 2013 at 5:36 AM, Ron Gula <rgula () tenable com> wrote:

Examples like this are why I push the "exploitability" field as a form
of prioritization for vulnerabilities. I've seen to many organizaitons
debate a CVSS score with our support team so they can get it moved off
of their mandate to patch everything with a CVSS score of X or higher.



-- 
Regards,
Christian Heinrich

http://cmlh.id.au/contact
_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave
Previous By Date Next
Previous By Thread Next

Current thread: