-
Random Movie/TV Thoughts and Reviews (January 2026)
Reviews I finished Trigger (2025), a Korean cop/crime/action series that was pretty good. The most interesting aspect was the entire premise that is “what if guns flooded into South Korea?” So it basically becomes a gun epidemic that the police are fighting which is obviously a stark contrast to the United States. It’s simple, yet…
-
Vulnerability Disclosure Forensics: /cgi-bin/upload.cgi
Yesterday, Chris Sullo of Nikto fame, asked me a simple question; in so many words, what was the “first web vuln”. To be clear, he is asking about the first vulnerability in a web server / service / program. Seems relatively straight-forward but I challenge anyone to answer it with their own data set, especially…
-
Random Movie/TV Thoughts and Reviews (December 2025)
Reviews Bad Words (2013) – I somehow missed this movie from a good while ago, but it is hysterical!. Full of over-the-top adult humor yet it delivers not just in comedy, but with a fun story. It’s always amusing, to me at least, when you have an adult / kid duo that involves corrupting the…
-
Rest In Peace IBM X-Force Vulnerability Database
Within the vulnerability ecosystem, the CVE project / vulnerability database is certainly the most well-known. Over the past 30 years many others have come and gone, and others are still around. Some of you will recognize SecurityFocus BID, Open Sourced Vulnerability Database (OSVDB), Secunia, VulnDB, OSV, and others. Started in 1997, there is another that…
-
Squirrel Goes Down the Rabbit Hole … Podcast
On November 17, I joined the three hosts of the Down the Security Rabbithole (DtSR) podcast to talk about CVSS, CVE, and how they play into risk and defending networks. My time followed Robert “RSnake” Hansen’s podcast where he had a pretty controversial take on risk management. One of the hosts, Rafal Los, asked my…
-
Random Movie/TV Thoughts and Reviews (November 2025)
Reviews Obliterated, a TV series on Netflix made me wonder early on as the presentation image used on the platform to represent the show has several people walking forward confidently, but several of them ultimately have nothing to do with the actual show? Why is that, what is going on? Anyway, as far as the…
-
Leave AI Slop out of CVE; Humans Make Mistakes Just Fine
I was recently asked, again, if so-called AI could help CVE. My reply was quick and direct; no. At least, not right now, and to me not for the immediate foreseeable future. Anyone that knows me is probably aware of my disdain for so-called AI. The fact that I preface it with “so-called” should be…
-
2025 BSidesLV CVE Panel – My Comments
This year at BSides Las Vegas, a panel discussing the CVE program and crisis occurred. I watched the panel discussion after the fact, since I did not attend. For full transparency, something MITRE isn’t fond of, I almost attended as a keynote speaker on the subject of CVE. I was invited to, but personally did…
-
Miggo Security’s AI Slop & Potential Trademark Infringement
On July 14, 2025, a relatively new security company named Miggo Security announced a new offering called VulnDB. Even for my casual readers you may have done a double-take thinking I just made a glaring error. No, not this time, it seems that Miggo made the glaring error. Apparently, rather than do a simple Google…
-
CVE: The Big Vote of No Confidence
Yesterday, Matt Hartman, CISA Acting Executive Assistant Director for Cybersecurity, issued a statement on the CVE program. Trying to summarize the last several days and what happened is tricky, but you can read my LinkedIn posts as well as countless news articles and folks talking about. The super tl;dr is that on April 15, a…