Closed mrybczyn closed 2 years ago
In the context of our specification, Known Vulnerabilities are "Security vulnerabilities previously discovered in Open Source Software components that are publicly available. That would include any publicly published vulnerabilities including but not limited to CVEs, GitHub/GitLab vulnerability alerts, package manager alerts and so forth." The language in question is intended to emphasize activities around addressing these vulnerabilities rather than the discovery of new vulnerabilities. That is regarded as a different activity.
The current definition (2.11) is:
I assume that we're talking about security testing to eventually discover new vulnerabilities. If it is the case the phrase could be:
A process for the analysis of software (or other components) that allows for understanding their current and potential future Newly Discovered Vulnerabilities.
Or maybe it means just handing of Known Vulnerabilities and their possible future effects?