@@ -1630,28 +1630,28 @@ The product shall protect the availability of essential and core network service
| LR, IoT-1 | none |
| all others | AVNT |
### 5.X.Y **TR-NKEV**: No known exploitable vulnerabilities
### 5.X.Y **TR-NKEV**: No known exploited vulnerabilities at first use
The product shall be made available on the market with no known vulnerabilities.
Recognizing that there may be vulnerabilities discovered between the time that a product is placed on the market and the time of that product's first use, and that the product should be free from known vulnerabilities both when first made available and when first used by a consumer, the manufacturer shall ensure that the product can be updated at the time of first use to address all known exploited vulnerabilities which were discovered after the product's placement on the market and before that first use.
#### 5.2.X.x **MI-KEVD**: No known exploitable vulnerabilities after secure update
#### 5.2.X.x **MI-KEVD**: No known exploited vulnerabilities after secure update
The product shall be accompanied by documentation of how to report vulnerabilities, how to find out what vulnerabilities have been fixed, the timeline in which vulnerabilities will be remediated, and how the product may be securely updated before use.
The product shall be accompanied by documentation describing how the product may be securely updated, including how to update the product prior to, or as part of, first use.
* Reference: TR-NKEV
* Objective: Prevent exploitation of known vulnerabilities
* Preparation: Examine the documentation and select a recently fixed vulnerability (preferably the most recently fixed)
* Activities: On a new product, carry out a secure update, scan the product to see if a recently fixed vulnerability has been fixed on the product, and examine the documentation for the required info
* Objective: Prevent exploitation of known exploited vulnerabilities
* Preparation: Examine public or private vulnerability information sources and select a recently fixed vulnerability (preferably the most recently fixed)
* Activities: On a new product, carry out the initial secure update, scan the product to see if a recently fixed vulnerability has been fixed on the product, and examine the documentation for the required info
* Verdict: If the secure update completes successfully, the most recently fixed vulnerability is fixed, and the documentation includes all the required information => PASS, otherwise FAIL
* Evidence: Documentation of vulnerability handling, documentation of how to securely update the product, the report for the selected vulnerability, description of how to scan for the vulnerability, log of vulnerability scan results
#### 5.2.X.x **MI-SCAN**: No easily scannable exploitable vulnerabilities
If automated, freelyusable vulnerability scanners are available for the product, the product shall satisfy one of the following:
If automatable and freely-usable vulnerability scanners are available for the product, then the product shall satisfy the following with respect to the three (or fewer, if fewer than three are avilable) most comprehensive of such scanners.
1.not have any vulnerabilities discoverable by the top three most comprehensive scanners (or fewer, if there are fewer than three automated, freely usable scanners)
1. have no vulnerabilities discovered by scans
1. have discoverable vulnerabilities whose age is consistent with the manufacturer's documentation of how long vulnerabilities may go unfixed after public disclosure
1.have documentation explaining why the risk of any detected vulnerability has been mitigated.
1.for each detected vulnerability, have publicly available documentation explaining how the risk has been mitigated
* Reference: TR-NKEV
* Objective: Prevent exploitation of known vulnerabilities
