@@ -136,8 +136,8 @@ In accordance with the requirement to apply effective and regular tests to the s
To demonstrate compliance, the manufacturer may rely on manual security testing (e.g., penetration testing), automated vulnerability scanners, or a combination of both, depending on what is most comprehensive and technically feasible for the product's technology stack.
*\[REQ-KEV-kosxm-0] The product shall have no known exploitable vulnerabilities discovered during testing.
*\[REQ-KEV-kosxm-1] The product shall have no discoverable known exploitable vulnerabilities with an age greater than the manufacturer's documented vulnerability handling process.
*\[REQ-KEV-kosxm-2] The product has publiclyavailable documentation explaining how the risk has been mitigated for any vulnerability older than the documented vulnerability handling process.
*\[REQ-KEV-kosxm-1] Vulnerabilities discovered during testing are recently-reported, in line with the period permitted before public disclosure as described in the vulnerability handling procedure for the product.
*\[REQ-KEV-kosxm-2] Any and all detected vulnerabilities have publicly-available documentation explaining the risk and how that risk has been mitigated.
[//]:#(### 6.2.N KEV)
@@ -146,8 +146,8 @@ To demonstrate compliance, the manufacturer may rely on manual security testing
* Objective: Prevent exploitation of known exploitable vulnerabilities
* Preparation: Using the product's SBOM and relevant publicly accessible vulnerability databases (e.g. [GCVE](https://gcve.eu), [EUVD](http://euvd.enisa.europa.eu)), compile a list of target components and potential known exploitable vulnerabilities. Select the appropriate testing methodology (e.g., the most comprehensive automated scanners available, or a manual penetration test plan) to verify the mitigation of these vulnerabilities.
* Activities: On a new product, carry out a security update, run the tests, and compare the results with the generated list of known exploitable vulnerabilities.
* Verdict: No vulnerabilities found, or all reported vulnerabilities satisfy either the age or mitigation requirement => PASS, otherwise FAIL
* Evidence: Documented vulnerability handling policy, product SBOM, list of testing tools used or manual test plan, test reports/scan results, correlation of discovered vulnerabilities with documentation of mitigation or age of vulnerability.
* Verdict: No vulnerabilities found, or all reported vulnerabilities satisfy either the elapsed time since discovery or mitigation requirement => PASS, otherwise FAIL
* Evidence: Documented vulnerability handling policy, product SBOM, list of testing tools used or manual test plan, test reports/scan results, correlation of discovered vulnerabilities with documentation of mitigation or elapsed time since discovery of vulnerability.
### 5.2.3 TR-SSDD: Secure software design and development (### 5.1.1 SSD)