Tag: CISA

  • CISA KEV’s Revolving Door

    CISA KEV’s Revolving Door

    Some time ago, perhaps last year or two years ago during VulnCon, I made an offhand comment about Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerability (KEV) catalog and how there were more than one vulnerability that had appeared in it and were subsequently removed. I received doubt from someone (Tod Beardsley?) that didn’t…

  • We’re Losing the “Cyber” War to Ourselves

    We’re Losing the “Cyber” War to Ourselves

    It’s hard to pinpoint where the concept of cyberwar originated. In roundabout ways it likely goes back many decades in fiction. As far as citations go, some believe a seminal work is titled Unrestricted Warfare by Qiao Liang and Wang Xiangsui, two colonels in the People’s Liberation Army (PLA). Regardless of when the premise started,…

  • Captain Obvious Audits the NVD

    Captain Obvious Audits the NVD

    During my recent trip to the East Coast several people linked an article from Recorded Future to me since it was on a topic I have written extensively about. The article covered a May 26 report from the Office of the Inspector General (OIG) at the Department of Commerce that was summarized as “mistakes have…

  • Bob’s “CVE Quality-by-Design Manifesto” – The Hit and Misses

    Bob’s “CVE Quality-by-Design Manifesto” – The Hit and Misses

    Almost every time Bob Lord blogs, I feel the need to write a rebuttal to what is arguably abject stupidity and shortsightedness. One he published a couple days ago, titled “CVE Quality-by-Design Manifesto“, is missing several core concepts in the realm of vulnerability intelligence. While his overall point is certainly valid, the order in which…

  • 2025 BSidesLV CVE Panel – My Comments

    2025 BSidesLV CVE Panel – My Comments

    This year at BSides Las Vegas, a panel discussing the CVE program and crisis occurred. I watched the panel discussion after the fact, since I did not attend. For full transparency, something MITRE isn’t fond of, I almost attended as a keynote speaker on the subject of CVE. I was invited to, but personally did…

  • CVE: The Big Vote of No Confidence

    CVE: The Big Vote of No Confidence

    Yesterday, Matt Hartman, CISA Acting Executive Assistant Director for Cybersecurity, issued a statement on the CVE program. Trying to summarize the last several days and what happened is tricky, but you can read my LinkedIn posts as well as countless news articles and folks talking about.  The super tl;dr is that on April 15, a…

  • CISA Weekly Bulletins FOIA Results

    CISA Weekly Bulletins FOIA Results

    Did you know that CISA publishes a weekly bulletin of “new vulnerabilities”, and has for a long time? They tend to have anywhere from 350 up to almost 1,000 vulnerabilities depending on the volume of CVEs published. The bulletins are entirely based on CVE IDs being published, not when the disclosures happened (just like CVE…

  • Was It Really GPAC? (No!) Getting a CVE Removed from CISA KEV

    Was It Really GPAC? (No!) Getting a CVE Removed from CISA KEV

    On October 3, 2024, Aquasec published a report about newly discovered malware named “perfctl”, targeting Linux servers. In it they cite the malware taking advantage of misconfigurations, as well as attempting to “exploit the Polkit vulnerability (CVE-2021-4043) to escalate privileges.”  Only problem is that CVE-2021-4043 isn’t “the Polkit vulnerability”, which in itself is problematic since…

  • Known Exploited Vulnerabilities (KEV) Thoughts – Part One

    Known Exploited Vulnerabilities (KEV) Thoughts – Part One

    This is the first of two blogs with my thoughts on Known Exploited Vulnerabilities (KEV) tracking and the challenges that come with tracking them. Introduction On November 03, 2021, Cybersecurity and Infrastructure Security Agency (CISA) announced a Binding Operational Directives (BOD) titled “BOD 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities“. This BOD established…

  • Thoughts on CISA’s “Vulnrichment” Initiative

    Thoughts on CISA’s “Vulnrichment” Initiative

    As many in the vulnerability disclosure ecosystem are now aware, the Cybersecurity & Infrastructure Security Agency (CISA), announced a new program called “Vulnrichment” on LinkedIn yesterday. News about the program spread rapidly via news sites and private companies. In this statement and elsewhere, there are definitely some general questions to be asked out loud since…