Yesterday, more than one organization reached out to my company asking why a particular vulnerability wasn’t in VulnDB yet. First, it had been less than 24 hours since publication in CVE/NVD, NVD hasn’t analyzed it as of the time of this blog, and it is in software no significant business would use. It’s part of a pattern of vulnerabilities being disclosed in low-end personal PHP projects, most of which will never see the light of corporate networks.
So why the interest? One party reaching out said it was “trending” and a “most talked about / most Tweeted” vulnerability. Was it really? Searching now, eight hours after the request, only 11 Tweets about it. Of those, that includes CVE itself, CVE.report, Vuldb (not to be confused with Flashpoint’s VulnDB), and VulMon. The rest are standard re-post / regurgitate new CVEs regardless of merit. There is zero actual replies and talk to these Tweets, and of the eleven a single one has a single like.
For databases that aren’t comprehensive and simply put lipstick on the CVE pig, it is easy for them to turn entries around. Little or no analysis, no metadata, no real enrichment. For a comprehensive vulnerability database that sometimes does twice the daily volume as CVE and adds that enrichment, sometimes it requires prioritizing. For software that likely has zero real installations in the entire world and wouldn’t appear on a corporate network? Yep, that is towards the bottom of the list.
The lesson here is that vulnerability intelligence factors all of this in. Just because there is “talk” on Twitter means precisely nothing. Dark web yes, Telegram groups yes, glorified re-Tweets no. And once again… consider the software and criticality of getting it published immediately.