@@ -726,6 +726,8 @@ The product shall be accompanied by documentation describing how the product may
* Verdict: If the secure update completes successfully, the most recently fixed vulnerability is fixed, and the documentation includes all the required information => PASS, otherwise FAIL
* Evidence: Documentation of vulnerability handling, documentation of how to securely update the product, the report for the selected vulnerability, description of how to scan for the vulnerability, log of vulnerability scan results
> TODO: Add automatic update mitigation
#### 5.2.X.x **MI-SCAN**: No easily scannable exploitable vulnerabilities
If automatable and freely-usable vulnerability scanners are available for the product, then the product shall satisfy the following with respect to the three (or fewer, if fewer than three are avilable) most comprehensive of such scanners.
@@ -742,8 +744,9 @@ If automatable and freely-usable vulnerability scanners are available for the pr
* Evidence: Documented vulnerability handling policy, list of vulnerability scanners selected, reports from each scanner, correlation of reports of discovered vulnerabilities with documentation of mitigations
