Yesterday, Siemens added a new announcement to their Siemens ProductCERT website regarding their support and use of the new Supplier Authorized Data Supplier (S-ADP) tools available on both the NIST.NVD.gov and the CVE.org websites. This new tool allows vendors like Siemens to add information to third-party vulnerability CVE listings on each site, similar to how CISA (using CISA-ADP) is able to add pertinent information to those vulnerability listings. An example of how that new data is applied can be seen at the NIST.NVD and CVE pages for CVE-2025-2884.
Siemens notes that:
“With the current SADP approach, we expect that vulnerability scanners can increase the “true positive” rates for affected Siemens products. In future, when Siemens expands to incorporates "known-not-affected" product data into SADP (information currently available only through security advisories and CSAF), we expect the number of “false positives” to drop. “False positives” occur when vulnerable components are installed in a system, but the vulnerability cannot be exploited.”
Posts
No comments:
Post a Comment