Comment by icedchai

Incompetence is frequent and expected.

I did an assessment once where we were an add on to a third party platform. The assessor (from the third party platform) reports we are using a vulnerable javascript library! I said we're not even using that library, so he must've mixed us up with someone else.

Tons of back-and-forth emails. He eventually sends us a couple of screen shots from browser dev tools. It turns out the guy was talking about a library on their own platform. It took even more back and forth emailing, until we escalated and the problem was resolved.