Oh no, you're in for a surprise.

"Especially now" all these infosec folks "need to get CVEs fixed because compliance/SOC2, etc" and they will be even more up your a*!

Something has to change with how compliance works. It is so outdated and crazy.

▲

jamesfinlayson an hour ago | parent | next [-]

Yep, at work my team's vulnerability dashboard constantly shows hundreds of critical and high vulnerabilities. Fortunately/unfortunately, 99% of these issues are for Javascript dependencies in websites that are not server-side rendered... so we look bad, even though we have no exposure to most of these vulnerabilities.

▲

john_strinlai 4 hours ago | parent | prev [-]

>all these infosec folks

i am an infosec folk (:

	▲	mk89 an hour ago \| parent [-]
		Well you're a bit different then... In my experience it is becoming basically ridiculous that we disallow compliance based on a number of cve, their level, etc. It's just a checkbox, but it has nothing to do with security.