Tag: NVD

  • CISA’s BOD 22-01: How to Prioritize 100 Vulnerabilities in Two Weeks

    [This was originally published on riskbasedsecurity.com, and had considerable edits/enhancements done by Curtis Kang.] CISA BOD 22-01 introduces the directive for government vendors to mitigate 292 CVE IDs, or 301 vulnerabilities, 100 of them within a short timeframe. It is well-meaning and brings potentially valuable focus, but it will put pressure on teams working with […]

  • The Rundown: CVE IDs, Meanings, & Assumptions

    For almost two decades, CVE has been considered an industry standard for vulnerability tracking. A CVE ID can be affiliated with many vulnerabilities, in a format like CVE-2014-54321. Note my choice in ID, from 2014 with a consecutive set of numbers. That is because I specifically chose a ‘sample’ CVE that was set aside as […]

  • Redscan’s Curious Comments About Vulnerabilities

    As a connoisseur of vulnerability disclosures and avid vulnerability collector, I am always interested in analysis of the disclosure landscape. That typically comes in the form of reports that analyze a data set (e.g. CVE/NVD) and draw conclusions. This seems straight-forward but it isn’t. I have written about the varied problems with such analysis many […]

  • A critique of the summary of “Latent Feature Vulnerability Rankings of CVSS Vectors”

    Update: Corren McCoy has written a wonderful response to this blog where she goes into more detail about her conclusions as well as citing more portions of the original research that led to her conclusions. As she notes, there are several layers of condensing the original research at play here, which can dilute and distort […]

  • WhiteSource on ‘Open Source Vulnerability Databases’ – Errata

    [This was originally published on the OSVDB blog.] On September 8, 2016, Jason Levy of WhiteSource Software published a blog titled “Open Source Vulnerability Database”. Almost two years later it came across my radar and I asked via Twitter if WhiteSource was interested in getting feedback on the blog, since it contained errata. They never […]

  • Case Study: Third-Party Plugins

    [This was originally published on RiskBasedSecurity.com in the 2018 Q3 Vulnerability QuickView Report.] Many people are familiar with content management systems (CMS), which are used in a variety of roles. Millions of people use them via hosted software such as WordPress.com and companies use them for blogging and knowledgebase systems. Historically, despite their wide deployment, […]

  • Thoughts about CNNVD vs. US NVD

    [This was originally published on RiskBasedSecurity.com in the 2017 Q3 Vulnerability QuickView report.] In October, Bill Ladd of Recorded Future released a study comparing CVE and the U.S. NationalVulnerability Database (NVD) with China’s National Vulnerability Database (CNNVD). This report, titled“The Dragon Is Winning: U.S. Lags Behind Chinese Vulnerability Reporting” was covered by John Leyden inThe […]

  • The Duality of Expertise: Microsoft

    [This was originally published on the OSVDB blog.] The notion of expertise in any field is fascinating. It crosses so many aspects of humans and our perception. For example, two people in the same discipline, each with the highest honors academic can grant, can still have very different expertise within that field. Society and science […]

  • Rebuttal: Dark Reading’s “9” Sources for Tracking New Vulnerabilities

    [This was originally published on the OSVDB blog.] Earlier today, Sean Martin published an article on Dark Reading titled “9 Sources For Tracking New Vulnerabilities“. Spanning 10 pages, likely for extra ad revenue, the sub-title reads: Keeping up with the latest vulnerabilities — especially in the context of the latest threats — can be a […]

  • Our New Year Vulnerability “Trends” Prediction!

    [This was originally published on RiskBasedSecurity.com.] Shortly after a year closes out, the industry is treated to dozens of security companies that want to tell you all about vulnerability totals and trends from the previous year. In many cases, the companies offering the predictions are armchair experts of a sorts, who do not aggregate vulnerability […]