Month: April 2025

  • CVE: The Big Vote of No Confidence

    CVE: The Big Vote of No Confidence

    Yesterday, Matt Hartman, CISA Acting Executive Assistant Director for Cybersecurity, issued a statement on the CVE program. Trying to summarize the last several days and what happened is tricky, but you can read my LinkedIn posts as well as countless news articles and folks talking about.  The super tl;dr is that on April 15, a…

  • Reporting on the IBM 2025 Report

    Reporting on the IBM 2025 Report

    On April 16, 2025, IBM posted their X-Force 2025 Threat Intelligence Index. Like many reports of this nature, it covers a wide variety of aspects relating to threat intelligence. Of course, one of those aspects is vulnerability intelligence and this report has a section for that. You are reading this so you can guess where…

  • Who Reads Mega-advisories? No one! (Almost)

    Who Reads Mega-advisories? No one! (Almost)

    Vulnerability disclosure analysts are long familiar with so-called “mega advisories”, ones that typically come from vendors and often for products that ship appliances using hundreds of libraries or products with an entire operating system included. Such advisories can literally represent over 500 vulnerabilities in one shot. I’ll try to make this a bit fun! Disclaimer:…

  • VulnCon Day 2 Errata & Taking Ben Edwards to Task

    VulnCon Day 2 Errata & Taking Ben Edwards to Task

    [4/13/2025 Update: See very end, below last image, for an amusing update.][2/19/2026 Update: See very very end for an amusing update, yet positive!] Today was the second day of VulnCon 2025, a conference whose stated purpose is “to collaborate with various vulnerability management and cybersecurity professionals to develop forward leaning ideas that can be taken…