I would suggest reporting both but under the same finding - Calling the finding something like "Windows missing multiple Patches" I would detail both issues but caveat the re-mediation section with something like:
"Whilst the above host appears vulnerable to two seperate vulnerablities. It is understood that patch x will fix both of these issues" Sent from my iPhone On 17 Feb 2010, at 19:17, "Albert R. Campa" <[email protected]> wrote: > What do you guys think of scanning and reporting of cumulative > vulnerabilities? > > For example. If you have vulnerability A that supercedes vulnerability > B. Nessus will report both A and B as vulnerable, but for patching > only Vulnerability A needs to be patched. So why report vulnerability > B? Should the scanner ingore superceded vulnerabilities? Is the only > plus to reporting both A and B is to have a history of old > vulnerabilities not patched? > > What about metrics? A and B might be vulnerable but only patch A needs > to be installed. > > > If an admin gets a vuln report with both A and B, can they easily > figure out oh, this is cumulative, so I only need to install A, or are > they going to try to install both. > > > want to get more opinions on this. > > > > __________________________________ > Albert R. Campa > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
