|
|
|
|
|
|
by sillysaurus3
3183 days ago
|
|
|
The issue is that companies can basically ignore sev:low findings. "Malpractice" implies that they need to care; they do not. I wish they did. It would be nice if they were forced to care. But it wouldn't block them from being declared secure by a pentest. Low-severity findings are findings, yes, but they don't have the same pull as medium or high severity vulns. All of this is true for storing passwords in plaintext, too. If some company leaked plaintext passwords, people would be outraged. Yet pentests would still give that company a pass, because plaintext password storage is sev:low. |
|
|