-
NVD Gives Up
Since 2024, representatives from NIST’s National Vulnerability Database (NVD) have given a presentation at VulnCon with updates to the program. This has been where news broke about significant changes, admissions, and omissions. The talks, typically 30 minutes, are certainly not enough time to tell us what the industry needs to know and leaves no time…
-
Anthropic, Mythos, and the Dark Reality No One Is Talking About
If I had a nickel for every time Anthropic’s new Project Glasswing / Mythos initiative came up in conversation or I was asked directly about it in the last few days, I would have a shit ton of nickels! Let’s dive into it… first with brief observations about the announcements and available information, other’s opinions,…
-
Vulnerability Research Isn’t Cooked; It’s Burned Beyond Recognition
On March 30, 2026, Thomas & Erin Ptacek posted a blog titled “Vulnerability Research Is Cooked“. I don’t believe I know Erin, but I know of Thomas as an old-school vulnerability researcher who has been well respected for a long, long time. When he speaks about vulnerability research, I certainly listen. So this blog was…
-
We Are Legion (We Are Bobservations); Answering a “Simple” Question
In late February, a friend linked an article about a science-fiction book and asked if I had read it. I told her that I hadn’t but after reading an abstract it sounded good. She asked if I would be her designated reader due to her workload, and report back. I said sure! She was particularly…
-
Wait… We Needed That CNA Rule?! A Complaint =)
It’s one of those rules you’d never think we needed until something happens… On March 27, a VulnDB (not to be confused with VulDB) analyst noticed that a CVE description had a line appended that basically advertised the service of the assigning CNA. CVE-2026-4963 had a pretty standard description from VulDB (not to be confused with…
-
Miggo, KEV, and FUD; They Still Don’t Get It
[If the name ‘Miggo’ is familiar to you in the context of my blogging, you are thinking about one I wrote titled “Miggo Security’s AI Slop & Potential Trademark Infringement” in July, 2025. That was more around ‘corporate’ culture and bad lawyering. This blog is different, pointing out how they don’t seem to understand KEV…
-
What Do 2025 CVE Numbers Mean? An Intro.
[This was originally my proposed introduction for Flashpoint’s 2026 Global Threat Intelligence Report. Due to the style of the report and covering a lot more intelligence sectors than vulnerabilities, only pieces of this were used. So I am publishing the entire original draft here for posterity.] The fact that there were over 48,000 CVEs published…
-
NaClCON Talks I Am Excited For
Earlier this month, I published “My Unofficial NaClCON FAQ” talking about a new security conference (NaClCON) that I am excited for. It’s still a bit surprising to myself that I am interested in one at all. I fully thought I was done with them, but here we are! After participating on the Call For Papers…
-
YouTube: I Don’t Think You Understand Your Userbase
It’s pretty rare that I use YouTube on a television, typically only if in the mood for specific music. Even then it tends to be a handful of videos as my ‘go to’. Earlier this month I was in the mood for such a concert and loaded it. I am authenticated as my Google account,…
-
The Jericho Blog Graveyard (2001 – 2013)
This is a continuing short run series of blogs summarizing old drafts and either declaring them dead, while listing them here, or keeping them as they are still relevant. Part 1 – The Jericho Blog Graveyard (2010 – 2013)Part 2 – The Jericho Blog Graveyard (2014 – 2015)Part 3 – The Jericho Blog Graveyard (2016…