| ▲ | semi-extrinsic 6 hours ago | |
Every month when there is a new Chrome release, there is a handful of CVSS 9.x vulnerabilities fixed. I'm always curious about the companies that require vendors to report all instances where patches to CVSS 9.x vulnerabilities are not applied to all endpoints within 24 hours. Are they just absolutely flooded with reports, or does nobody on the vendor side actually follow these rules to the letter? | ||
| ▲ | michaelt 3 hours ago | parent | next [-] | |
> I'm always curious about the companies that require vendors to report all instances where patches to CVSS 9.x vulnerabilities are not applied to all endpoints within 24 hours. That sounds like a nigh-impossible requirement, as you've written it. I suspect the actual requirement is much more limited in scope. | ||
| ▲ | PunchyHamster 6 hours ago | parent | prev [-] | |
the rating is nonsense anyway, which one actually applies to code you run varies wildly 9.x vulnerability might not matter if the function gets trusted data while 3.x one can screw you if it is in bad spot | ||