Tag: CVE

  • Android versus iOS Security – Not Again…

    [This was originally published on the OSVDB blog.] About two weeks ago, another round of vulnerability stats got passed around. Like others before, it claims to use CVE to compare Apple iOS versus Android in an attempt to establish which is more secure based on “vulnerability counts”. The statistics put forth are basically meaningless, because […]

  • “Threat Intelligence”, not always that intelligent.

    I’ve been in the security arena for some time now, like many of my friends and colleagues. For over a decade, we have been presented with several vendors that deliver yearly reports summarizing various attributes of the industry: vulnerabilities, hack attacks, spam, malware, breaches, and more. They are typically delivered in summaries that can be […]

  • CVE Vulnerabilities: How Your Dataset Influences Statistics

    [This was originally published on the OSVDB blog.] Readers may recall that I blogged about a similar topic just over a month ago, in an article titled Advisories != Vulnerabilities, and How It Affects Statistics. In this installment, instead of “advisories”, we have “CVEs” and the inherent problems when using CVE identifiers in the place […]

  • Adobe, Qualys, CVE, and Math

    [This was originally published on the OSVDB blog.] Elinor Mills wrote an article titled Firefox, Adobe top buggiest-software list. In it, she quotes Qualys as providing vulnerability statistics for Mozilla, Adobe and others. Qualys states: The number of vulnerabilities in Adobe programs rose from 14 last year to 45 this year, while those in Microsoft […]

  • What I Learned From Early CVE Entries!

    [This was originally published on the OSVDB blog.] This post is the farthest thing from picking on or insulting CVE. They were running a VDB some four years before OSVDB entered the picture. More impressive, they operated with a level of transparency that no other VDB offered at the time. Early OSVDB entries suffered just […]

  • OSVDB Now Supports CVSSv2 Scoring

    [This was originally published on the OSVDB blog.] OSVDB now displays CVSSv2 scores, mostly as calculated by the National Vulnerability Database (NVD): Along with the score, we display the date that NVD generated it and give users a method for recommending updates if they feel the score is inaccurate. While this is long overdue, this […]

  • VDB Relationships (Hugs and Bugs!)

    [This was originally published on the OSVDB blog.] Like any circle in any industry, having good professional relationships can be valuable to involved parties. In the world of security, more specifically Vulnerability Databases (VDBs), the relationships we maintain benefit the community behind the scenes. Like ogres and onions, there are layers. Someone from CVE and […]

  • If You Can’t, How Can We?

    [This was originally published on the OSVDB blog.] Steve Christey w/ CVE recently posted that trying to keep up with Linux Kernel issues was getting to be a burden. Issues that may or may not be security related, even Kernel developers don’t fully know. While this is a good example of the issues VDBs face, […]

  • Who Discovered the Most Vulns?

    [This was originally published on the OSVDB blog.] This is a question OSVDB moderators, CVE staff and countless other VDB maintainers have asked. Today, Gunter Ollmann with IBM X-Force released his research trying to answer this question. Before you read on, I think this research is excellent. The relatively few criticisms I bring up are […]

  • Coffee makers are SCADA, right?!

    [This was originally published on the OSVDB blog.] Steven Christey of CVE posted asking a question about VDBs and the inclusion of coffee makers. Yes, you read that correctly, vulnerabilities are being found in coffee makers that are network accessible. Don’t be surprised, we all knew the day was coming when every household appliance would […]