Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Yeah like when we bundled in a .js library for client side date processing that has a CVE affecting node.js servers with high score. Our auditors don’t care they tag the whole app as high risk. It doesn’t even run on the server!


the auditors that sign off on your security to meet your clients requirements usually know way less about your security posture than your clients do

its all just surface-level box-checking. most companies required to get 'penetration tests' just get an overpriced Nessus scan sold as a pentest and that meets their reqs.


while this is true it in no way diminishes the value that orgs like cve provide


Incompetent auditors don't detract from the classification system, though. If we removed every data point auditors misinterpret or don't care to understand, we may as well remove all metrics.




Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: