ugh, I’m glad i’ve moved on from IT but I’ve had many arguments with ‘security managers’ about some bogus qualys findings. If the CVE is that a user could do a thing in an unexpected way, but they have permission to do the thing that is a bug not a vulnerability. IMO It’s only a vulnerability if someone that is not allowed to do something can do the forbidden thing.
ugh, I’m glad i’ve moved on from IT but I’ve had many arguments with ‘security managers’ about some bogus qualys findings. If the CVE is that a user could do a thing in an unexpected way, but they have permission to do the thing that is a bug not a vulnerability. IMO It’s only a vulnerability if someone that is not allowed to do something can do the forbidden thing.