@RichiH @stefano @maxinstuff If they knew anything about what they were auditing, they could have said “we understand that the VPN makes it difficult to access the server and exploit any security holes, but we need the underlying server to be compliant anyway, in case of anyone fumbling the VPN”, and then when they didn’t understand the version/OS differences, said “write us a couple of lines justifying why this is compliant, and we’ll send it for evaluation and archiving”.