|
|
|
|
|
|
by mcpackieh
1064 days ago
|
|
|
> This sounds very much like the idiocy of "infosec" lunkheads who know nothing about what they're "fixing" but if an automated system tells them a CVE exists, they've absolutely got to have it "patched". They don't look into what the claims of the CVE are, or whether their specific use case is vulnerable. They don't know, they don't care, they're not even programmers. All they know is a box needs ticking. They may know and understand all of this and still not care. Maybe their performance is judged by how quick they can get checkboxes checked, with overzealous approvals harming them more than overzealous rejections. They may be empowered to make exceptions when the specific circumstance warrants it, but that might require them to fill out even more paperwork to justify their decision. That extra paperwork slows them down and harms the metrics by which their performance is judged. |
|
|