Tag: CVE

Leave AI Slop out of CVE; Humans Make Mistakes Just Fine

I was recently asked, again, if so-called AI could help CVE. My reply was quick and direct; no. At least, not right now, and to me not for the immediate foreseeable future. Anyone that knows me is probably aware of my disdain for so-called AI. The fact that I preface it with “so-called” should be…

September 2, 2025
2025 BSidesLV CVE Panel – My Comments

This year at BSides Las Vegas, a panel discussing the CVE program and crisis occurred. I watched the panel discussion after the fact, since I did not attend. For full transparency, something MITRE isn’t fond of, I almost attended as a keynote speaker on the subject of CVE. I was invited to, but personally did…

August 15, 2025
Dark Reading Confidential: Funding the CVE Program of the Future – Podcast

For the July 31, 2025 episode of Dark Reading Confidential, I joined Bugcrowd’s Trey Ford and Adam Shostack to discuss the future of CVE, specifically around funding or the potential lack thereof. It was a great discussion and the three of us largely agreed on matters. Trey and I had some minor disagreements that we…

July 31, 2025
CVE: The Big Vote of No Confidence

Yesterday, Matt Hartman, CISA Acting Executive Assistant Director for Cybersecurity, issued a statement on the CVE program. Trying to summarize the last several days and what happened is tricky, but you can read my LinkedIn posts as well as countless news articles and folks talking about. The super tl;dr is that on April 15, a…

April 24, 2025
Who Reads Mega-advisories? No one! (Almost)

Vulnerability disclosure analysts are long familiar with so-called “mega advisories”, ones that typically come from vendors and often for products that ship appliances using hundreds of libraries or products with an entire operating system included. Such advisories can literally represent over 500 vulnerabilities in one shot. I’ll try to make this a bit fun! Disclaimer:…

April 10, 2025
The Curious Case of CVE-2015-2551 & CVE-2019-9081 – Doom and Gloom! Or not.

What’s Your Story CVE-2015-2551? This CVE-2015-2551 entry seems straight-forward, based on the description provided by CVE or NVD. Looking at the change history on NVD it is a bit more informative: So the ID was created for the 2015 calendar year, apparently not used, rejected seven years later, and confirmed by the assigning CNA (Microsoft).…

March 30, 2025
ChatGPT Exploited by Threat Actors, Doom and Gloom! Or not.

After years of chasing down typos in CVE IDs, now we all have to contend with poorly researched headlines and apparent to me ambulance chasing over mistaken product names. If you missed the news, threat actors are exploiting a vulnerability in ChatGPT! This is obviously a huge warning and we should all be afraid because…

March 23, 2025
Has CWE Jumped the Shark?

The Common Weakness Enumeration (CWE) is a MITRE run, community-developed list of common software and hardware weaknesses (Wikipedia Page). The project defines a “weakness” as “a condition in a software, firmware, hardware, or service component that, under certain circumstances, could contribute to the introduction of vulnerabilities.” This taxonomy has several uses but they tend to…

February 21, 2025
Reason #283 Why InfoSec Has Failed

For those familiar with my social media, you know that I have frequently said that our industry is failing the commons. InfoSec represents a huge market, companies get paid exorbitant amounts of money, salaries can border on the ridiculous, and the concept of researchers being famous for their work is still alive. Meanwhile, vulnerabilities are…

February 8, 2025
Why Don’t You Fix CVE?

Historically when I pointed out problems in anything, I wasn’t the best at offering solutions. Sometimes I simply had none because the problem was complex and the solutions I came up with were problematic themselves. Other times I had ideas, but they were fairly high-level and abstract and I didn’t want to be like the…

January 27, 2025