The last place I worked, we had a cyber security team, whose job it was to send us CVEs to investigate. I mean random CVEs that had zero relevance to our systems or the technologies we used. Sometimes they sent us low level kernel type CVEs and expected us to explain why we weren’t affected. Mostly it was a waste of time. If they knew how to do their job, they’d have a list of technologies we used on each project and could filter out the irrelevant stuff, instead of wasting developer time.

Grrrrrr!!