Tag: CNA

  • Wait… We Needed That CNA Rule?! A Complaint =)

    Wait… We Needed That CNA Rule?! A Complaint =)

    It’s one of those rules you’d never think we needed until something happens… On March 27, a VulnDB (not to be confused with VulDB) analyst noticed that a CVE description had a line appended that basically advertised the service of the assigning CNA. CVE-2026-4963 had a pretty standard description from VulDB (not to be confused with…

  • Bob’s “CVE Quality-by-Design Manifesto” – The Hit and Misses

    Bob’s “CVE Quality-by-Design Manifesto” – The Hit and Misses

    Almost every time Bob Lord blogs, I feel the need to write a rebuttal to what is arguably abject stupidity and shortsightedness. One he published a couple days ago, titled “CVE Quality-by-Design Manifesto“, is missing several core concepts in the realm of vulnerability intelligence. While his overall point is certainly valid, the order in which…

  • Shadow, Ghost, and Phantasmawhatever Vulnerabilities – The Reality

    Shadow, Ghost, and Phantasmawhatever Vulnerabilities – The Reality

    Back in September of 2024, I took some notes on a blog I wanted to write about “Shadow” vulnerabilities, based on a corporate blog with a poor concept and misunderstanding of CVE. The title was to be “Shadow Vulnerabilities – Rebuttal” and pretty straight-forward. Vulnerability life is crazy when you help manage a true vulnerability…

  • Why Don’t You Fix CVE?

    Why Don’t You Fix CVE?

    Historically when I pointed out problems in anything, I wasn’t the best at offering solutions. Sometimes I simply had none because the problem was complex and the solutions I came up with were problematic themselves. Other times I had ideas, but they were fairly high-level and abstract and I didn’t want to be like the…

  • CVE Farming – Problem & Solution

    CVE Farming – Problem & Solution

    Blog Origins In the last year or two, I have increasingly used the term “CVE farming” in conversations and LinkedIn posts [1]. This has led a few people to ask what it meant and I gave a very cliff notes version of the answer. I started taking notes for this blog a while back expecting…

  • MITRE’s Phoning in New CNAs

    MITRE’s Phoning in New CNAs

    On December 17, 2024, MITRE announced five new CVE Numbering Authorities (CNA) on their Twitter feed as well as their news page. However, there were actually seven added according to the CNAs page based on tracking it daily. Last year, when I asked about a discrepancy in tracking the CNAs, MITRE promptly replied to clarify.…

  • 400 CNAs, Yay?

    400 CNAs, Yay?

    Introduction This week, or in the next two, we’re likely to see MITRE heralding the milestone of minting their 400th CVE Numbering Authority (CNA). These are, primarily, organizations that can assign a CVE ID without having to go to MITRE each time to obtain the ID. This is part of what MITRE calls a “federated”…

  • Mozilla and Transparency

    Mozilla and Transparency

    [Back in 2015, Mozilla promised transparency but was anything but regarding some products and vulnerabilities. I had contacted Slackware trying to determine if they were impacted and found out their hands were tied, due to Mozilla. I am posting my raw notes as-is, just so they are public and can be referenced.] https://blog.mozilla.org/security/2015/09/04/improving-security-for-bugzilla/Openness, transparency, and…