-
Squirrel Goes Down the Rabbit Hole … Podcast
On November 17, I joined the three hosts of the Down the Security Rabbithole (DtSR) podcast to talk about CVSS, CVE, and how they play into risk and defending networks. My time followed Robert “RSnake” Hansen’s podcast where he had a pretty controversial take on risk management. One of the hosts, Rafal Los, asked my…
-
Leave AI Slop out of CVE; Humans Make Mistakes Just Fine
I was recently asked, again, if so-called AI could help CVE. My reply was quick and direct; no. At least, not right now, and to me not for the immediate foreseeable future. Anyone that knows me is probably aware of my disdain for so-called AI. The fact that I preface it with “so-called” should be…
-
2025 BSidesLV CVE Panel – My Comments
This year at BSides Las Vegas, a panel discussing the CVE program and crisis occurred. I watched the panel discussion after the fact, since I did not attend. For full transparency, something MITRE isn’t fond of, I almost attended as a keynote speaker on the subject of CVE. I was invited to, but personally did…
-
Miggo Security’s AI Slop & Potential Trademark Infringement
On July 14, 2025, a relatively new security company named Miggo Security announced a new offering called VulnDB. Even for my casual readers you may have done a double-take thinking I just made a glaring error. No, not this time, it seems that Miggo made the glaring error. Apparently, rather than do a simple Google…
-
CVE: The Big Vote of No Confidence
Yesterday, Matt Hartman, CISA Acting Executive Assistant Director for Cybersecurity, issued a statement on the CVE program. Trying to summarize the last several days and what happened is tricky, but you can read my LinkedIn posts as well as countless news articles and folks talking about. The super tl;dr is that on April 15, a…
-
Reporting on the IBM 2025 Report
On April 16, 2025, IBM posted their X-Force 2025 Threat Intelligence Index. Like many reports of this nature, it covers a wide variety of aspects relating to threat intelligence. Of course, one of those aspects is vulnerability intelligence and this report has a section for that. You are reading this so you can guess where…
-
Who Reads Mega-advisories? No one! (Almost)
Vulnerability disclosure analysts are long familiar with so-called “mega advisories”, ones that typically come from vendors and often for products that ship appliances using hundreds of libraries or products with an entire operating system included. Such advisories can literally represent over 500 vulnerabilities in one shot. I’ll try to make this a bit fun! Disclaimer:…
-
VulnCon Day 2 Errata & Taking Ben Edwards to Task
[4/13/2025 Update: See very end, below last image, for an amusing update.] Today was the second day of VulnCon 2025, a conference whose stated purpose is “to collaborate with various vulnerability management and cybersecurity professionals to develop forward leaning ideas that can be taken back to individual programs for action to benefit the vulnerability management…
-
The Curious Case of CVE-2015-2551 & CVE-2019-9081 – Doom and Gloom! Or not.
What’s Your Story CVE-2015-2551? This CVE-2015-2551 entry seems straight-forward, based on the description provided by CVE or NVD. Looking at the change history on NVD it is a bit more informative: So the ID was created for the 2015 calendar year, apparently not used, rejected seven years later, and confirmed by the assigning CNA (Microsoft).…
-
ChatGPT Exploited by Threat Actors, Doom and Gloom! Or not.
After years of chasing down typos in CVE IDs, now we all have to contend with poorly researched headlines and apparent to me ambulance chasing over mistaken product names. If you missed the news, threat actors are exploiting a vulnerability in ChatGPT! This is obviously a huge warning and we should all be afraid because…