Reasons for Vulnerability Exceptions
· False positive - You may want to exclude false positives reported by Nexpose. A false positive occurs when a vulnerability scanner detects a vulnerability when none exists.
· Compensating control - You may want to exclude vulnerabilities that have mitigated risks. For example, if a vulnerability exists on a device that has an firewall in place, an organization may determine that the firewall provides enough protection and relegate the vulnerability as a minimal threat.
· Acceptable use - You may want to create an exception for vulnerabilities that are part of organizational practices.
· Acceptable risk - You may want to exclude vulnerabilities that are low risk vulnerabilities. These vulnerabilities tend to pose minimal security risk and are likely to consume more resources than they are worth.
![]() |