Tag: CVE

  • A Note on the Verizon DBIR 2016 Vulnerabilities Claims

    [This was originally published on the OSVDB blog.] [Updated 4/28/2016] Verizon released their yearly Data Breach Investigations Report (DBIR) and it wasn’t too long before I started getting asked about their “Vulnerabilities” section (page 13). After bringing up some highly questionable points about last year’s report regarding vulnerabilities, several people felt that the report did […]

  • MITRE’ Horrible New CVE ID Scheme and Spindoctoring

    [This was originally published on the OSVDB blog.] Today, The Register wrote an article on MITRE’s announcement of a new CVE ID scheme, and got many things wrong about the situation. As I began to write out the errata in an email, someone asked that I make it public so they could learn from the […]

  • Our New Year Vulnerability “Trends” Prediction!

    [This was originally published on RiskBasedSecurity.com.] Shortly after a year closes out, the industry is treated to dozens of security companies that want to tell you all about vulnerability totals and trends from the previous year. In many cases, the companies offering the predictions are armchair experts of a sorts, who do not aggregate vulnerability […]

  • Ruminations on David Weinstein’s “Ruminations on App CVEs”

    [This was originally published on the OSVDB blog.] David Weinstein, a researcher at NowSecure, has posted a blog titled “Ruminations on App CVEs“. Thanks to Will Dormann’s Tweet it came to our attention, and he is correct! We have opinions on this. Quoted material below is from Weinstein’s blog unless otherwise attributed. CVE is well-positioned […]

  • A Note on the Verizon DBIR 2015, “Incident Counting”, and VDBs

    [This was originally published on the OSVDB blog.] Recently, the Verizon 2015 Data Breach Investigations Report (DBIR) was released to much fanfare as usual, prompting a variety of media outlets to analyze the analysis. A few days after the release, I caught a Tweet linking to a blog from Rory McCune that challenged one aspect […]

  • Reviewing the Secunia 2015 Vulnerability Review (A Redux)

    It’s that time of year again! Vulnerability databases whip up reports touting statistics and observations based on their last year of collecting data. It’s understandable, especially for a commercial database, to show why your data source is the best. In the past, we haven’t had a strong desire to whip up a flashy PDF with […]

  • We’re “critical”, not “immature”.

    [This was originally published on the OSVDB blog.] Recently, we got feedback via Twitter that we come across as “immature”. On the surface, perhaps. Not all of our Tweets are critical of CVE though. I replied pretty quickly that said criticism is also us “pushing for them to improve since so much of the industry […]

  • SQLi Disclosures and the Last Five Years (Transparent Statistics)

    [This was originally published on the OSVDB blog.] Nothing like waking up to a new article purporting to show vulnerability statistics and having someone ask us for comment. But hey, we love giving additional perspective on such statistics since they are often without proper context and disclaimers. This morning, the new article comes from Help […]

  • CVE Is Baffling Some Nights

    [This was originally published on the OSVDB blog.] CVE, managed by MITRE, a ‘sole-source’ government contractor, who gets as much as one million dollars a year from the government (or more) to run the project, is a confusing entity. Researchers who have reached out to CVE for assignment or clarification on current assignments, have gone […]

  • More tricks than treats with today’s Metasploit blog disclosures?

    [This was originally published on the OSVDB blog.] Today, Tod Beardsley posted part one and part two on the Metasploit blogs titled “Seven FOSS Tricks and Treats. Unfortunately, this blog comes with as many tricks as it does treats. In part one, he gently berates the vendors for their poor handling of the issues. In […]