• That Vulnerability is “Trending” … a Redux
    That Vulnerability is “Trending” … a Redux

    A couple weeks ago I published a blog titled “That Vulnerability is ‘Trending’ … So What?“. I didn’t think I would be publishing another on this topic, especially this fast. But I ran into another absurd case of a vulnerability “trending” and figured out why, which is even more ridiculous. I caused this… A CVE…

  • That Vulnerability is “Trending” … So What?
    That Vulnerability is “Trending” … So What?

    Yesterday, more than one organization reached out to my company asking why a particular vulnerability wasn’t in VulnDB yet. First, it had been less than 24 hours since publication in CVE/NVD, NVD hasn’t analyzed it as of the time of this blog, and it is in software no significant business would use. It’s part of…

  • Do you want the best cocktail?
    Do you want the best cocktail?

    Do you want the best cocktail you have probably had in recent years? Assuming you don’t go out too much and partake in all of the drinks? There’s a simple way I have found, that has a near 100% success rate. Even better, it almost always makes the person taking your order, or your bartender,…

  • 2022 #MakeHimHurt Challenge – The Results
    2022 #MakeHimHurt Challenge – The Results

    On July 17, 2022, I posted a challenge to help raise money for wildlife rehabilitation nonprofits in Colorado on the back of a cross-country drive last year. It’s a cause near and dear to my heart as I volunteer in this realm, primarily helping squirrels and raccoons. Since wildlife rehab shops get so little from…

  • Rebuttal? Not really… Comments on Curphey’s Latest Blog
    Rebuttal? Not really… Comments on Curphey’s Latest Blog

    I went into a LinkedIn post expecting to have to buy a new box of red sharpies to be honest, but I am pleasantly surprised at the conclusions regarding CVE / NVD, which I think are largely accurate. As grim a picture as is painted, they are still a bit too generous. I say that…

  • Will the Real 300,000 Stand Up?
    Will the Real 300,000 Stand Up?

    On September 27, 2022, Flashpoint’s VulnDB hit the 300,000th entry added to the database. Think about that and .. wow. I started the adventure of collecting vulnerabilities around 1993, back when it was all flat text files, and my hacker group used a FILES.BBS file as an index, pointing to many hundreds of other text…

  • security@ Is a Two-way Street
    security@ Is a Two-way Street

    More and more companies are embracing the benefits of maintaining a dedicated security team to not only help manage internal processes such as a systems development life cycle (SDLC) that may focus on security, but to also manage vulnerability reports from external parties. Some companies choose to implement bug bounty programs, and some do not.…

  • Microsoft SIR and Vulnerability Statistics
    Microsoft SIR and Vulnerability Statistics

    [I wrote this for my day job back in February, 2017, but it never got posted. Including it here for reference.] The notion of expertise in any field is fascinating. It crosses so many aspects of humans and our perception. For example, two people in the same discipline, each with the highest honors academic can…

  • Let’s Talk About 0-days
    Let’s Talk About 0-days

    [This was a first draft of an article to be published on the Flashpoint Threat Intel blog. Ultimately, parts of it were adopted for a different blog but the original remains considerably different. Curtis Kang contributed significantly to the finished blog below.] Zero-days (0-days and other variations) are exploitable vulnerabilities that the general public is…

  • Titan 1 Missile Silo Exploration
    Titan 1 Missile Silo Exploration

    [Note: This is a more detailed account to accompany pictures I have had online for some time. Also be warned, a few pictures are of graffiti from the early 90s and may be offensive.] I’m sure most people have heard about, and even seen pictures of, old missile silos from the 1950s and 1960s. Some…