• Rebuttal: A blended look at what makes the CVE program try to tick

    Rebuttal: A blended look at what makes the CVE program try to tick

    A few days ago, Tod Beardsley published an article on SC Magazine titled “An inside look at what makes the CVE Program tick“. Overall the article is well-written and offers some insights into MITRE, CVE, and their “CNA” program or CVE Numbering Authorities. Beardsley does a good job enumerating some basics about the program, the […]

  • Sharks Are Scary but Worry About Mosquitoes

    [This was originally published on RiskBasedSecurity.com and was included in the 2021 Mid Year Vulnerability QuickView Report.] It seems like every day that we hear about a new hack and read headlines that tell us that so-called advanced persistent threats (APT) are compromising major organizations. These APT and nation-state actors have incredible skill and seemingly […]

  • SolarWinds: Sitting on Undisclosed Vulnerabilities

    [This was originally published on RiskBasedSecurity.com.] SolarWinds was in the news last year, as the victim of an attack that compromised its Orion Platform software by inserting a backdoor into it, allowing for remote code execution. This attack has had an incredible impact on the security industry and recently, interest in the SolarWinds breach has […]

  • More authorities, more CVEs; Oh, and more commentary.

    On November 10, TechBeacon published a great article by Rob Lemos titled “More authorities, more CVEs: What it means for app sec teams” in which I was quoted, along with several other people. Like many articles of this nature, those who provide input often will talk for as long as half an hour and ultimately […]

  • The Great (belated) Mozilla Firefox CVE Dump

    [This was originally published on RiskBasedSecurity.com.] On June 11th, MITRE published descriptions and references for 318 entries, all  relating to Mozilla Firefox. Yes; three hundred and eighteen entries. It may be tempting to think Mozilla was holding back on disclosures or there was a flurry of research activity leading to a slew of new vulnerabilities being discovered. […]

  • The Duality of Expertise: Microsoft

    [This was originally published on the OSVDB blog.] The notion of expertise in any field is fascinating. It crosses so many aspects of humans and our perception. For example, two people in the same discipline, each with the highest honors academic can grant, can still have very different expertise within that field. Society and science […]

  • I do not think it means what you think it means… (CVE IDs)

    [This was originally published on the OSVDB blog.] Sometime in the past day or so, CVE-2016-10001 was publicly disclosed, and possibly a duplicate. Regardless, CVE-2016-10002 is also now public and legitimate. Tonight, I Tweeted that the presence of those IDs doesn’t mean what many will think it means. I say that based on the past […]

  • MITRE’ Horrible New CVE ID Scheme and Spindoctoring

    [This was originally published on the OSVDB blog.] Today, The Register wrote an article on MITRE’s announcement of a new CVE ID scheme, and got many things wrong about the situation. As I began to write out the errata in an email, someone asked that I make it public so they could learn from the […]

  • CVE Is Baffling Some Nights

    [This was originally published on the OSVDB blog.] CVE, managed by MITRE, a ‘sole-source’ government contractor, who gets as much as one million dollars a year from the government (or more) to run the project, is a confusing entity. Researchers who have reached out to CVE for assignment or clarification on current assignments, have gone […]

  • Malware to Vulnerability Mappings.. Anyone?

    [This was originally published on the OSVDB blog.] Unbeknownst to many of us, MITRE’s Common Malware Enumeration (CME) project was declared dead, and apparently has been for a while. What is CME? From their site: CME was created to provide single, common identifiers to new virus threats and to the most prevalent virus threats in […]