Commit 2ea86b13 authored by Valerie Aurora (Bow Shock)'s avatar Valerie Aurora (Bow Shock)
Browse files

Add age exception to no known exploitable vulns requirement

parent 9a1ad614

EN-304-626.md

+7 −3
Original line number Diff line number Diff line
@@ -1647,14 +1647,18 @@ The product shall be accompanied by documentation of how to report vulnerabiliti 


#### 5.2.X.x **MI-SCAN**: No easily scannable exploitable vulnerabilities



If automated, freely usable vulnerability scanners are available for the product, the product shall either (1) not have any vulnerabilities discoverable by the top three most comprehensive scanners (or fewer, if there are fewer than three automated, freely usable scanners), or (2) have documentation explaining why the risk of any detected vulnerability has been mitigated.

If automated, freely usable vulnerability scanners are available for the product, the product shall satisfy one of the following:



1. not have any vulnerabilities discoverable by the top three most comprehensive scanners (or fewer, if there are fewer than three automated, freely usable scanners)

1. have discoverable vulnerabilities whose age is consistent with the manufacturer's documentation of how long vulnerabilities may go unfixed after public disclosure

1. have documentation explaining why the risk of any detected vulnerability has been mitigated.



  * Reference: TR-NKEV

  * Objective: Prevent exploitation of known vulnerabilities

  * Preparation: Select up to three vulnerability scanners meeting the requirements

  * Activities: On a new product, carry out a secure update, run the selected scanners on the product, and examine the documentation for any reported vulnerabilities

  * Verdict: All reported vulnerabilities have documentation explaining how they have been mitigated, mitigations result in appropriate risk based on risk assessment => PASS, otherwise FAIL

  * Evidence: List of vulnerability scanners selected, reports from each scanner, correlation of reports of discovered vulnerabilities with documentation of mitigations

  * Verdict: No vulnerabilities found, or all reported vulnerabilities satisfy either the age or documentation requirement => PASS, otherwise FAIL

  * Evidence: Documented vulnerability handling policy, list of vulnerability scanners selected, reports from each scanner, correlation of reports of discovered vulnerabilities with documentation of mitigations



| Risk factors        | Requires mitigations |

|---------------------|----------------------|