Category: InfoSec

  • Speaking Ill of the Dead?

    Speaking Ill of the Dead?

    Folks in the Information Security (InfoSec) circles are getting old. It is evident from the last few years and seeing those we know, in some capacity, passing on. For many of us still here, we find ourselves battling a world of conditions ranging from the relatively simple high blood pressure, to the more complicated like…

  • That Vulnerability is “Trending” … a Redux

    That Vulnerability is “Trending” … a Redux

    A couple weeks ago I published a blog titled “That Vulnerability is ‘Trending’ … So What?“. I didn’t think I would be publishing another on this topic, especially this fast. But I ran into another absurd case of a vulnerability “trending” and figured out why, which is even more ridiculous. I caused this… A CVE…

  • That Vulnerability is “Trending” … So What?

    That Vulnerability is “Trending” … So What?

    Yesterday, more than one organization reached out to my company asking why a particular vulnerability wasn’t in VulnDB yet. First, it had been less than 24 hours since publication in CVE/NVD, NVD hasn’t analyzed it as of the time of this blog, and it is in software no significant business would use. It’s part of…

  • Rebuttal? Not really… Comments on Curphey’s Latest Blog

    Rebuttal? Not really… Comments on Curphey’s Latest Blog

    I went into a LinkedIn post expecting to have to buy a new box of red sharpies to be honest, but I am pleasantly surprised at the conclusions regarding CVE / NVD, which I think are largely accurate. As grim a picture as is painted, they are still a bit too generous. I say that…

  • Will the Real 300,000 Stand Up?

    Will the Real 300,000 Stand Up?

    On September 27, 2022, Flashpoint’s VulnDB hit the 300,000th entry added to the database. Think about that and .. wow. I started the adventure of collecting vulnerabilities around 1993, back when it was all flat text files, and my hacker group used a FILES.BBS file as an index, pointing to many hundreds of other text…

  • security@ Is a Two-way Street

    security@ Is a Two-way Street

    More and more companies are embracing the benefits of maintaining a dedicated security team to not only help manage internal processes such as a systems development life cycle (SDLC) that may focus on security, but to also manage vulnerability reports from external parties. Some companies choose to implement bug bounty programs, and some do not.…

  • Microsoft SIR and Vulnerability Statistics

    Microsoft SIR and Vulnerability Statistics

    [I wrote this for my day job back in February, 2017, but it never got posted. Including it here for reference.] The notion of expertise in any field is fascinating. It crosses so many aspects of humans and our perception. For example, two people in the same discipline, each with the highest honors academic can…

  • Let’s Talk About 0-days

    Let’s Talk About 0-days

    [This was a first draft of an article to be published on the Flashpoint Threat Intel blog. Ultimately, parts of it were adopted for a different blog but the original remains considerably different. Curtis Kang contributed significantly to the finished blog below.] Zero-days (0-days and other variations) are exploitable vulnerabilities that the general public is…

  • When CVE Typos Become Advisories

    When CVE Typos Become Advisories

    For those who follow me on Twitter, you may notice a considerable number of my Tweets are related to pointing out or confirming CVE IDs that are typos. Recently I ran into an interesting edge case where a typo CVE ID gained life of its own. Typically such typos gain life through aggregation blogs that…

  • Rebuttal: Skeletons in the Closet

    Rebuttal: Skeletons in the Closet

    On April 22, 2022, Nate Warfield of Prevailion published an article on Threatpost on the topic of zero days. I’m a little late to this article, but because this horse still has some life in it apparently, I feel obligated to once again point out how the term ‘zero day’ has basically lost all meaning.…