• fartsparkles
    link
    fedilink
    English
    arrow-up
    4
    arrow-down
    2
    ·
    16 hours ago

    Bingo. That site is counting that same vuln repeatedly.

      • fartsparkles
        link
        fedilink
        English
        arrow-up
        2
        ·
        edit-2
        10 hours ago

        By looking at the data on the website…? The same vuln appears under multiple different versions of an OS.

        • madthumbs@lemmy.worldOPM
          link
          fedilink
          English
          arrow-up
          2
          arrow-down
          1
          ·
          10 hours ago

          Your statement seems worded to imply that the same vulnerability is being counted in the same version of the OS, and it wouldn’t make sense to comment as such since it would be omitting data otherwise.

          • fartsparkles
            link
            fedilink
            English
            arrow-up
            2
            ·
            9 hours ago

            They’re still not distinct vulnerabilities. They’re the same vulnerabilities across different products and versions. Others in the thread immediately misunderstood what the table was presenting.

            Cvedetails was far better (albeit uglier) in the past before Security Scorecard took over the brand / domains.

            Another fundamental mistake Security Scorecard are making is that they don’t understand the data they’re trying to visualise, group, and rank. Debian, for instance, do a stellar job and enumerate any version of their product that has a vulnerable package in their repos even if it’s nothing to do with the actual operating system whereas Apple don’t enumerate vulnerable App Store apps in the same way nor do many other Linux distributions which have their own repos of packaged FOSS apps.

            What thus results in is Debian getting tabulated to look like they’re doing something really wrong with the number of vulns they’re enumerating whereas it’s actually exceptionally awesome that they do. This kind of junk “Top x” just incentivises other distributions to not put in get hard work and provide CPE codes for their distro’s package repos.