[beardedwizard]

The question on everyone's mind is whether or not regulators (Fed/State RAMP, etc) will accept variances with a vex statement. The posture for the vast majority of businesses subject to this kind of regulation is "fix every single CVE regardless of impact".

[lars_francke]

That's a good question and I encourage you to join the CISA Working Groups on VEX etc. It is only indirect work but it might help steer things in the right direction.

I'm repeating myself but: CVEs are useless. Please don't use them as an equivalent for "vulnerabilities".

Regulators might take a few years to catch up but if I'm able to DDoS my competition with bogus vulnerabilities then people will do just that.

The CRA says that only "exploitable" vulnerabilities have to be fixed and it does accept VEX statements. So that's good. I would have liked to see "exploited" instead of "exploitable" but it's better than nothing.

I assume/hope the US will follow.

[richbell]

I love the hundreds of critical vulnerabilities on test libraries for nonsense like ReDOS or "if you write code that does something unsafe, it will do something unsafe."