ResolutionCategories-VulnerabilityDetectionErrors.json

{
  "namespace": "continuousimprovement-vulnerability-relevance",
  "expanded": "Continuous Improvement Vulnerability Relevance Resolution Categories",
  "description": "The vulnerability relevance categories reflect standard resolution categories, to document detection errors where vulnerability scanner identified vulnerability but the responsible technical team clarifies that the vulnerability is not actually a problem. More infos can be found on: https://github.com/d3sre/IntelligentProcessLifecycle",
  "version": 1,
  "predicates": [
	{
          "value": "faulty-vulnerability-verification-process",
		  "expanded": "Faulty Vulnerability verification process",
          "description": "This category shows that the identification of vulnerabilities by your vendor/supplier is faulty or should be optimized. If your vulnerabilities are closed several times by the responsible system engineers with this category you either want to find a better vendor, improve automated detection by using host patch management verification solutions or combining the alerting with technical security compliance verification, or you want to verify your engineer’s judgement capabilities in risk/system assessment."
        },
        {
          "value": "context-of-exploitability-has-not-been-given",
		  "expanded": "Context of exploitability has not been given",
          "description": "If vulnerabilities are often graded down by other security measures, the identification process and the technical setup should be verified. Even though all vulnerabilities should eventually be patched, this category can point to risks that were accepted at one stage to avoid further assessments. That acceptance has not been recommunicated to the scanning team. Do not scan what you never intend to remediate and document everything you never intend to remediate."
        },
        
  ],
}