Tag: OSVDB

  • Thoughts on Tom Alrich’s “Global Vulnerability Database”

    Thoughts on Tom Alrich’s “Global Vulnerability Database”

    Tom Alrich published a blog last year titled “The Global Vulnerability Database won’t be a “database” at all“. It is basically his outline for how to make an international database that many can contribute to, to replace the inadequate CVE / NVD database. He said he welcomes any comments and when it comes to vulnerability…

  • OSVDB, FIN, and Lessons Learned

    OSVDB, FIN, and Lessons Learned

    [Note that this was half-written on 2020/11/13 but never finished and published. Going back through old blog drafts, I am opting to post this as-is, and back date it to when it was started. Toward the end it is not clear from notes if I am quoting the Tweet or making a note on how…

  • WhiteSource on ‘Open Source Vulnerability Databases’ – Errata

    WhiteSource on ‘Open Source Vulnerability Databases’ – Errata

    [This was originally published on the OSVDB blog.] On September 8, 2016, Jason Levy of WhiteSource Software published a blog titled “Open Source Vulnerability Database”. Almost two years later it came across my radar and I asked via Twitter if WhiteSource was interested in getting feedback on the blog, since it contained errata. They never…

  • Before you publish your end-of-year vulnerability statistics…

    Before you publish your end-of-year vulnerability statistics…

    TL;DR – The CVE dataset does not allow you to determine how many vulnerabilities were disclosed in 2017. I’ll try to keep this fairly short and to the point, but who am I kidding? Every year for a decade or more, we see the same thing over and over: companies that do not track or…

  • That Vulnerability is “Theoretical”!

    [This was originally published on the OSVDB blog.] A few days ago, while writing a draft of a different blog, I made reference to and said “we’re well aware of the pitfalls around calling a vulnerability ‘theoretical’“! I wanted to link off to what I was referencing, a case where security researchers found a vulnerability…

  • Your yearly reminder to post to Full-Disclosure, not Bugtraq

    [This was originally published on the OSVDB blog.] [10/29/2020 Update: As of February 24, SecurityFocus has stopped moderating posts to the Bugtraq mail list without explanation or warning. This is apparently related to Broadcom acquiring Symantec, the owner of SecurityFocus.] This has been a long-recognized and proven thing, but every year we run into more…

  • The Duality of Expertise: Microsoft

    [This was originally published on the OSVDB blog.] The notion of expertise in any field is fascinating. It crosses so many aspects of humans and our perception. For example, two people in the same discipline, each with the highest honors academic can grant, can still have very different expertise within that field. Society and science…

  • Let’s X-ray SCMagazine…

    [This was originally published on the OSVDB blog.] Hopefully a really quick blog, but a section of a news article titled “Hackers are having a field day with stolen credentials” by Amol Sarwate, Qualys’ Director of Vulnerability Labs, published in SC Magazine caught my attention. The section: Let’s X-ray the attack methods Typically, hackers “fingerprint”…

  • I do not think it means what you think it means… (CVE IDs)

    [This was originally published on the OSVDB blog.] Sometime in the past day or so, CVE-2016-10001 was publicly disclosed, and possibly a duplicate. Regardless, CVE-2016-10002 is also now public and legitimate. Tonight, I Tweeted that the presence of those IDs doesn’t mean what many will think it means. I say that based on the past…

  • NTIA, Bug Bounty Programs, and Good Intentions

    [This was originally published on the OSVDB blog.] [Note: This blog had been sitting as a 99% completed draft since early September. I lost track of time and forgot to finish it off then. Since this is still a relevant topic, I am publishing now despite it not being quite as timely in the context…