Well - yes. ISS isn't one of the most *helpful* of companies that I've had the distinct pleasure of working with. I guess when you become the 800 Pound *Microsoft*Gorilla of the IT Security World, you become more focused on profit than product.

I was trying to not have to re-invent the wheel because cross-referencing SANS Top 20 with the specific vulns/exploits in ISS Internet Scanner and creating a policy is a chore - possible because ISS is supposedly CVE compliant with mitre.org's list, but about as fun as waxing your legs since 1 SANS Top 20 item can comprise up to 20 different CVE or CANs. However, the people I work for to pay off the tuition bill believe the SANS Top 20 list is the word of God ......

HARRIS said they will be including the SANS Institute Top 20 list with their Vulnerability Scanner Productnext month. I like their ANALYZER product - it can import the ISS Scanner data and output more informative/better presented reports than ISS. It's drawback is that it doesn't fully scan the Unix systems yet like AIX and HP. Does Linux flavors though.