top | item 37608532

(no title)

mdmglr | 2 years ago

The bogus CVE problem has caused delays in my projects because the CIO wants our COTS scanner tool reports to have 0 CVE's or a detailed explanation on why it is not an issue.

Also I'm having difficulty communicating: CVSS is not a measure of risk, and that many of the ReDoS vulns are very much dependent on the context.

discuss

worthless-trash|2 years ago

Wouldn't the full score (which includes your environment context) be a measure of risk ?