Category: InfoSec
-
Vulnerability Research Isn’t Cooked; It’s Burned Beyond Recognition
On March 30, 2026, Thomas & Erin Ptacek posted a blog titled “Vulnerability Research Is Cooked“. I don’t believe I know Erin, but I know of Thomas as an old-school vulnerability researcher who has been well respected for a long, long time. When he speaks about vulnerability research, I certainly listen. So this blog was…
-
Wait… We Needed That CNA Rule?! A Complaint =)
It’s one of those rules you’d never think we needed until something happens… On March 27, a VulnDB (not to be confused with VulDB) analyst noticed that a CVE description had a line appended that basically advertised the service of the assigning CNA. CVE-2026-4963 had a pretty standard description from VulDB (not to be confused with…
-
Miggo, KEV, and FUD; They Still Don’t Get It
[If the name ‘Miggo’ is familiar to you in the context of my blogging, you are thinking about one I wrote titled “Miggo Security’s AI Slop & Potential Trademark Infringement” in July, 2025. That was more around ‘corporate’ culture and bad lawyering. This blog is different, pointing out how they don’t seem to understand KEV…
-
What Do 2025 CVE Numbers Mean? An Intro.
[This was originally my proposed introduction for Flashpoint’s 2026 Global Threat Intelligence Report. Due to the style of the report and covering a lot more intelligence sectors than vulnerabilities, only pieces of this were used. So I am publishing the entire original draft here for posterity.] The fact that there were over 48,000 CVEs published…
-
NaClCON Talks I Am Excited For
Earlier this month, I published “My Unofficial NaClCON FAQ” talking about a new security conference (NaClCON) that I am excited for. It’s still a bit surprising to myself that I am interested in one at all. I fully thought I was done with them, but here we are! After participating on the Call For Papers…
-
Zero Day Clock – All The Pieces Matter
Last week, a colleague shared a link to the “Zero Day Clock“, a web site that has a substantial number of signatories, including some big names. I want to talk extensively about the clock because it makes at least one significant mistake and points out what the data means along with a comparison to another…
-
My Unofficial NaClCON FAQ
As someone who has basically become disillusioned with most information security conferences, I didn’t find myself to be excited about another, let alone a new one. Then along came NaClCON and it changed my mind. It was a matter of days before I volunteered to help with the Call For Papers (CFP) review. With the…
-
It’s 2024 and Netscout Doesn’t Understand CVE
[Quick update! This was titled ‘2026’, but Josh Bressers pointed out I missed that Netscout’s blog is from 2024. It came up a few days on a Google Alert so I mistakenly assumed it was a new blog. I have updated the title, but the URL slug will still say 2026. Either way, I think…
-
NSA, Theft, and the Original Quantum Lazlo
Back in November, 2009, Attrition.org staff (including me) finally got around to finalizing the name for our new mascot (archive.org), the angry squirrel firmly associated with Attrition and myself. In a cheeky letter from the mascot, it was signed ‘Lazlo’. Since that date, the mascot has seen a wide variety of iterations as Lazlo was…
-
The Database That Shouldn’t Have Been Continues To Fail The Community
[This article was originally published on Dark Reading, titled “Hand CVE Over to the Private Sector“. Note that it underwent editing by the staff there. Below is my original version and this copy is titled the way I had proposed.] Created in 1999, the Common Vulnerability Enumeration (CVE), now dubbed Common Vulnerabilities and Exposures, was…