-
Bob’s “CVE Quality-by-Design Manifesto” – The Hit and Misses
Almost every time Bob Lord blogs, I feel the need to write a rebuttal to what is arguably abject stupidity and shortsightedness. One he published a couple days ago, titled “CVE Quality-by-Design Manifesto“, is missing several core concepts in the realm of vulnerability intelligence. While his overall point is certainly valid, the order in which…
-
Shadow, Ghost, and Phantasmawhatever Vulnerabilities – The Reality
Back in September of 2024, I took some notes on a blog I wanted to write about “Shadow” vulnerabilities, based on a corporate blog with a poor concept and misunderstanding of CVE. The title was to be “Shadow Vulnerabilities – Rebuttal” and pretty straight-forward. Vulnerability life is crazy when you help manage a true vulnerability…
-
Random Movie/TV Thoughts and Reviews (January 2026)
Reviews I finished Trigger (2025), a Korean cop/crime/action series that was pretty good. The most interesting aspect was the entire premise that is “what if guns flooded into South Korea?” So it basically becomes a gun epidemic that the police are fighting which is obviously a stark contrast to the United States. It’s simple, yet…
-
Vulnerability Disclosure Forensics: /cgi-bin/upload.cgi
Yesterday, Chris Sullo of Nikto fame, asked me a simple question; in so many words, what was the “first web vuln”. To be clear, he is asking about the first vulnerability in a web server / service / program. Seems relatively straight-forward but I challenge anyone to answer it with their own data set, especially…
-
Random Movie/TV Thoughts and Reviews (December 2025)
Reviews Bad Words (2013) – I somehow missed this movie from a good while ago, but it is hysterical!. Full of over-the-top adult humor yet it delivers not just in comedy, but with a fun story. It’s always amusing, to me at least, when you have an adult / kid duo that involves corrupting the…
-
Rest In Peace IBM X-Force Vulnerability Database
Within the vulnerability ecosystem, the CVE project / vulnerability database is certainly the most well-known. Over the past 30 years many others have come and gone, and others are still around. Some of you will recognize SecurityFocus BID, Open Sourced Vulnerability Database (OSVDB), Secunia, VulnDB, OSV, and others. Started in 1997, there is another that…
-
Squirrel Goes Down the Rabbit Hole … Podcast
On November 17, I joined the three hosts of the Down the Security Rabbithole (DtSR) podcast to talk about CVSS, CVE, and how they play into risk and defending networks. My time followed Robert “RSnake” Hansen’s podcast where he had a pretty controversial take on risk management. One of the hosts, Rafal Los, asked my…
-
Random Movie/TV Thoughts and Reviews (November 2025)
Reviews Obliterated, a TV series on Netflix made me wonder early on as the presentation image used on the platform to represent the show has several people walking forward confidently, but several of them ultimately have nothing to do with the actual show? Why is that, what is going on? Anyway, as far as the…
-
Leave AI Slop out of CVE; Humans Make Mistakes Just Fine
I was recently asked, again, if so-called AI could help CVE. My reply was quick and direct; no. At least, not right now, and to me not for the immediate foreseeable future. Anyone that knows me is probably aware of my disdain for so-called AI. The fact that I preface it with “so-called” should be…
-
2025 BSidesLV CVE Panel – My Comments
This year at BSides Las Vegas, a panel discussing the CVE program and crisis occurred. I watched the panel discussion after the fact, since I did not attend. For full transparency, something MITRE isn’t fond of, I almost attended as a keynote speaker on the subject of CVE. I was invited to, but personally did…