Tag: CVE
-
Bob’s “CVE Quality-by-Design Manifesto” – The Hit and Misses
Almost every time Bob Lord blogs, I feel the need to write a rebuttal to what is arguably abject stupidity and shortsightedness. One he published a couple days ago, titled “CVE Quality-by-Design Manifesto“, is missing several core concepts in the realm of vulnerability intelligence. While his overall point is certainly valid, the order in which…
-
Shadow, Ghost, and Phantasmawhatever Vulnerabilities – The Reality
Back in September of 2024, I took some notes on a blog I wanted to write about “Shadow” vulnerabilities, based on a corporate blog with a poor concept and misunderstanding of CVE. The title was to be “Shadow Vulnerabilities – Rebuttal” and pretty straight-forward. Vulnerability life is crazy when you help manage a true vulnerability…
-
Rest In Peace IBM X-Force Vulnerability Database
Within the vulnerability ecosystem, the CVE project / vulnerability database is certainly the most well-known. Over the past 30 years many others have come and gone, and others are still around. Some of you will recognize SecurityFocus BID, Open Sourced Vulnerability Database (OSVDB), Secunia, VulnDB, OSV, and others. Started in 1997, there is another that…
-
Squirrel Goes Down the Rabbit Hole … Podcast
On November 17, I joined the three hosts of the Down the Security Rabbithole (DtSR) podcast to talk about CVSS, CVE, and how they play into risk and defending networks. My time followed Robert “RSnake” Hansen’s podcast where he had a pretty controversial take on risk management. One of the hosts, Rafal Los, asked my…
-
Leave AI Slop out of CVE; Humans Make Mistakes Just Fine
I was recently asked, again, if so-called AI could help CVE. My reply was quick and direct; no. At least, not right now, and to me not for the immediate foreseeable future. Anyone that knows me is probably aware of my disdain for so-called AI. The fact that I preface it with “so-called” should be…
-
2025 BSidesLV CVE Panel – My Comments
This year at BSides Las Vegas, a panel discussing the CVE program and crisis occurred. I watched the panel discussion after the fact, since I did not attend. For full transparency, something MITRE isn’t fond of, I almost attended as a keynote speaker on the subject of CVE. I was invited to, but personally did…
-
CVE: The Big Vote of No Confidence
Yesterday, Matt Hartman, CISA Acting Executive Assistant Director for Cybersecurity, issued a statement on the CVE program. Trying to summarize the last several days and what happened is tricky, but you can read my LinkedIn posts as well as countless news articles and folks talking about. The super tl;dr is that on April 15, a…
-
Who Reads Mega-advisories? No one! (Almost)
Vulnerability disclosure analysts are long familiar with so-called “mega advisories”, ones that typically come from vendors and often for products that ship appliances using hundreds of libraries or products with an entire operating system included. Such advisories can literally represent over 500 vulnerabilities in one shot. I’ll try to make this a bit fun! Disclaimer:…
-
The Curious Case of CVE-2015-2551 & CVE-2019-9081 – Doom and Gloom! Or not.
What’s Your Story CVE-2015-2551? This CVE-2015-2551 entry seems straight-forward, based on the description provided by CVE or NVD. Looking at the change history on NVD it is a bit more informative: So the ID was created for the 2015 calendar year, apparently not used, rejected seven years later, and confirmed by the assigning CNA (Microsoft).…
-
ChatGPT Exploited by Threat Actors, Doom and Gloom! Or not.
After years of chasing down typos in CVE IDs, now we all have to contend with poorly researched headlines and apparent to me ambulance chasing over mistaken product names. If you missed the news, threat actors are exploiting a vulnerability in ChatGPT! This is obviously a huge warning and we should all be afraid because…