![[Public Interpretations Database]](http://www.niap-ccevs.org/assets/images/precedent-db.jpg){kind=small}
PD-0008: When should monitoring of the public domain for new 'obvious vulnerabilities' cease?
This decision represents a long-term technical decision based on an OD, and may not be the same as the final results of the source OD. With respect to published criteria documentation and scheme documents, it provides suggested guidance on evaluation direction, but is not authoritative. Authoritative decisions are provided through the published criteria documents and published scheme and international interpretations thereof. With respect to published PPs, PDs are authoritative corrections to the PP, based on input from the PP author (if available), that are in force until the publication of the next revision of that PP.
| Effective Date: | 2002-03-11 |
| Last Modified | 2006-08-02 |
Issue
AVA_VLA.1 requires evaluators to verify the adequacy of the vulnerabilities that the developer identified and tested and to perform penetration testing to ensure that all obvious vulnerabilities have been addressed.
The basic questions are when must the search for public vulnerabilities cease and what obligation does the vendor have to address those vulnerabilities that are not addressed by the ST or the TOE.
Resolution
All vulnerabilities identified by the end of testing must be addressed.
Support
Note: CCIMB-INTERP-0031 addresses this issue but simply refers the question back to the scheme, hence this PD.
Modification History:
- 2004-08-12
- Updated effective date to reflect the date the PD was issued. (August 2004 NIB 6.c.xiv)
References:
- TFFWPPv1.a
- ALFWPPv1.a
Related NIs:
- None
Related CCIMB-INTERPs:
- CCIMB-INTERP-0031: Obvious Vulnerabilities
Source OD: 0036