Open starblast opened 2 years ago
starblast
commented
2 years ago Actually, it seems like you should be maintaining the NSEs in your own git repo. The point of this service (as i understand it) is that you verify that the NSE works and is not malicious. If you just distribute links, the owner of the link could change the NSE into something malicious after the fact. You need a point-in-time snapshot of the code that your team has vetted.
CliffordNetwork
commented
2 years ago starblast
commented
2 years ago That's a link to an external team (nccgroup)'s NSEs. They can change the contents of that link at any time, so I'm not sure what the point of SME is in this context?
IMO a service like this should seek to compile vetted NSEs into a single location so someone could check out ONE git repo and then use those NSEs in their scanning.
AkikoOrenji
commented
2 years ago Agreed this is very confusing. Great initative but without centrally storing or managing these scripts whats the point.
Are you planning on offering/linking to/distributing a list of the NSEs somewhere or is the link only going in your blog?