Ron, To reuse the PCI DSS v2.0 Requirement 6.2 example, the core issue is that "... a vendor-supplied patch classified by the vendor as "critical"" and in this circumstance the source of truth is the "vendor" and not Nessus.
In addition, Nessus (or any other product implemented by an ASV) may have the incorrect CVSSv2 Base Score listed e.g. https://discussions.nessus.org/thread/4769 On Sat, Aug 17, 2013 at 5:36 AM, Ron Gula <[email protected]> wrote: > Examples like this are why I push the "exploitability" field as a form > of prioritization for vulnerabilities. I've seen to many organizaitons > debate a CVSS score with our support team so they can get it moved off > of their mandate to patch everything with a CVSS score of X or higher. -- Regards, Christian Heinrich http://cmlh.id.au/contact _______________________________________________ Dailydave mailing list [email protected] https://lists.immunityinc.com/mailman/listinfo/dailydave
