Known vulnerabilities are known to the public because they are published on the internet or when it has a CVE ID. These vulnerabilities are also added to vulnerability scanners so they can be easily detected. A vulnerability scan could be thought of as a surface-level security assessment since it only detects known vulnerabilities. A vulnerability scan cannot spot logic issues. A hacker might be able to intercept traffic and change data in transit, for example. A vulnerability scanner might not deem information disclosure as an issue. Furthermore, this type of assessment may not see images stored on the network without protection or encryption as being anything to be concerned about. However, if these images happen to be of peoples’ ID or credit cards, then that is a severe problem. A researcher can spot this and uncover the unknown vulnerabilities.