Ford won’t work? There were a lot of comments about “paying vulnerability fixers only when they are in the break room“. I’ll say right away that the post was a joke. Staff motivation is too delicate a topic to give serious recommendations. 🙂
But I will sort out the objections:
🔻 IT staff will sabotage the vulnerability detection process by tweaking host configs. So that the scanner will produce only green reports. But IT staff can do this at any time, and we need to take this into account. 🤷♂️
🔻 IT staff will simply turn off hosts. If they can do this without harming the business, that’s great. 👍 And if this will break the production environment, then let them deal with their IT management. 😏
🔻 There is an opinion that the method is good, but only 2% of vulnerabilities used in attack chains need to be fixed. I traditionally DO NOT agree with the possibility of reliably separating these mythical 2% of vulnerabilities. Everything needs to be fixed. 😉