Tag: OSVDB
-
Security Software: Holding the Vault Door Open for Criminals
I have been consistently tracking a fun metric around vulnerabilities since March 19, 2024. Before that I would occasionally mention it during talks or chat, but I don’t think I formally blogged about it before this and didn’t track the exact number. So here we are to discuss the prevalence of vulnerabilities in security software,…
-
Thoughts on Tom Alrich’s “Global Vulnerability Database”
Tom Alrich published a blog last year titled “The Global Vulnerability Database won’t be a “database” at all“. It is basically his outline for how to make an international database that many can contribute to, to replace the inadequate CVE / NVD database. He said he welcomes any comments and when it comes to vulnerability…
-
OSVDB, FIN, and Lessons Learned
[Note that this was half-written on 2020/11/13 but never finished and published. Going back through old blog drafts, I am opting to post this as-is, and back date it to when it was started. Toward the end it is not clear from notes if I am quoting the Tweet or making a note on how…
-
WhiteSource on ‘Open Source Vulnerability Databases’ – Errata
[This was originally published on the OSVDB blog.] On September 8, 2016, Jason Levy of WhiteSource Software published a blog titled “Open Source Vulnerability Database”. Almost two years later it came across my radar and I asked via Twitter if WhiteSource was interested in getting feedback on the blog, since it contained errata. They never…
-
Before you publish your end-of-year vulnerability statistics…
TL;DR – The CVE dataset does not allow you to determine how many vulnerabilities were disclosed in 2017. I’ll try to keep this fairly short and to the point, but who am I kidding? Every year for a decade or more, we see the same thing over and over: companies that do not track or…
-
That Vulnerability is “Theoretical”!
[This was originally published on the OSVDB blog.] A few days ago, while writing a draft of a different blog, I made reference to and said “we’re well aware of the pitfalls around calling a vulnerability ‘theoretical’“! I wanted to link off to what I was referencing, a case where security researchers found a vulnerability…
-
Your yearly reminder to post to Full-Disclosure, not Bugtraq
[This was originally published on the OSVDB blog.] [10/29/2020 Update: As of February 24, SecurityFocus has stopped moderating posts to the Bugtraq mail list without explanation or warning. This is apparently related to Broadcom acquiring Symantec, the owner of SecurityFocus.] This has been a long-recognized and proven thing, but every year we run into more…
-
Let’s X-ray SCMagazine…
[This was originally published on the OSVDB blog.] Hopefully a really quick blog, but a section of a news article titled “Hackers are having a field day with stolen credentials” by Amol Sarwate, Qualys’ Director of Vulnerability Labs, published in SC Magazine caught my attention. The section: Let’s X-ray the attack methods Typically, hackers “fingerprint”…
-
I do not think it means what you think it means… (CVE IDs)
[This was originally published on the OSVDB blog.] Sometime in the past day or so, CVE-2016-10001 was publicly disclosed, and possibly a duplicate. Regardless, CVE-2016-10002 is also now public and legitimate. Tonight, I Tweeted that the presence of those IDs doesn’t mean what many will think it means. I say that based on the past…
-
NTIA, Bug Bounty Programs, and Good Intentions
[This was originally published on the OSVDB blog.] [Note: This blog had been sitting as a 99% completed draft since early September. I lost track of time and forgot to finish it off then. Since this is still a relevant topic, I am publishing now despite it not being quite as timely in the context…