vf2000

joined 3 weeks ago
[–] vf2000@lemmy.zip 1 points 1 day ago

This applies to all devices and is not specific to Apple, as long as you don't audit and comprehend every piece of software involved.

 

the EUVD comes with a holistic approach and aims for ensuring a high level of interconnection of information sources. It does so by leveraging the open-source software Vulnerability-Lookup which enables a quick correlation of vulnerabilities from multiple known sources. ... Utilising the Common Security Advisory Framework (CSAF), a standardised format for vulnerability advisories, the EUVD supports automation in the processing, consumption, and distribution of security advisories.

The EUVD collects and references vulnerability information collected from existing databases (such as MITRE’s CVE DB, GitHub's Advisory Database, JVN iPedia, GSD-Database), adds additional information via references to advisories and alerts issued by national CSIRTs, mitigation and patching guidelines published by vendors, and enriches it with exploited vulnerability markings (such as CISA KEV) and FIRST’s Exploit Prediction scores (EPSS).

(Note: ENISA has been tasked with establishing the EUVD as outlined in Article 12 of the NIS-2 Directive.)

[–] vf2000@lemmy.zip 2 points 3 days ago

Isn't that already the case these days, or am I misunderstanding your comment? I mean, the NVD has been struggling with analysis for many months, and they typically provide their own CVSS 3.1 Base Score in addition to a CVSS Base Score from the CNA that issued the CVE Identifier. This means you can end up with one or two different CVSS Base Scores for the same CVE Identifier. As we know, both CVSS 3.1 and 4.0 have many limitations, including the fact that two security analysts can arrive at different assessments and thus different CVSS Base Scores. What I'm saying is that even now, you have to rely on the accuracy of the vulnerability assessment without question. There have been numerous instances where CVE Identifiers end up being marked as "DISPUTED."

[–] vf2000@lemmy.zip 1 points 4 days ago (2 children)

What should a screenshot that is about 12 years old prove or not prove? Technology has advanced significantly since then. Over the past decade, we've developed a range of new encryption algorithms, improved password hashing methods, TLS 1.3, post-quantum cryptography, and much more. The "Game of Trust" can be extended indefinitely, but using a 12-year-old screenshot as evidence for a situation in 2025 is questionable.