In security scanning, which term describes a finding reported when it should not be?

• A. False positive
• B. False negative
• C. Vulnerability feed
• D. CVE

Answer: (A)

Reporting a finding when no real vulnerability exists is called a false positive. In security scanning, the tool flags something as vulnerable even though it isn’t exploitable or isn’t actually vulnerable in the given context. This can happen due to overly aggressive signatures, outdated or imprecise checks, environment differences, or test artifacts. The result is alert fatigue and wasted effort spent triaging non-issues, which can distract from real risks. This differs from a false negative, where a real vulnerability isn’t detected at all. To reduce false positives, fine-tune the scanner’s rules, verify critical findings with additional methods, use authenticated scans, keep vulnerability feeds current, and correlate findings with asset inventories and real-world context.