05 May

Be Aware That the Claimed Impact of Vulnerabilities is Not Always Accurate in Vulnerability Reports

When it comes to the many problems with the security industry, one of them that we see very often due to our work for this service is overstating the impact of vulnerabilities and claiming that issues that are probably not vulnerabilities are in fact ones.

The latest example of this we have come across is from DefenseCode, a company whose advisories we warned to be wary of last week. Earlier this week they put out a report (PDF) of claimed SQL injection vulnerability in the plugin Photo Gallery. The problems with it is that they are claiming an issue that we wouldn’t consider to be a vulnerability as being one, along with it looking like they overstated the potential impact, if it truly was one. [Read more]