Tag: OSVDB

  • Rebuttal: Dark Reading’s “9” Sources for Tracking New Vulnerabilities

    [This was originally published on the OSVDB blog.] Earlier today, Sean Martin published an article on Dark Reading titled “9 Sources For Tracking New Vulnerabilities“. Spanning 10 pages, likely for extra ad revenue, the sub-title reads: Keeping up with the latest vulnerabilities — especially in the context of the latest threats — can be a…

  • Response to Kenna Security’s Explanation of the DBIR Vulnerability Mess

    [This was originally published on the OSVDB blog.] Earlier this week, Michael Roytman of Kenna Security wrote a blog with more details about the vulnerability section of the Verizon DBIR report, partially in response to my last blog here questioning how some of the data was generated and the conclusions put forth. The one real…

  • A Note on the Verizon DBIR 2016 Vulnerabilities Claims

    [This was originally published on the OSVDB blog.] [Updated 4/28/2016] Verizon released their yearly Data Breach Investigations Report (DBIR) and it wasn’t too long before I started getting asked about their “Vulnerabilities” section (page 13). After bringing up some highly questionable points about last year’s report regarding vulnerabilities, several people felt that the report did…

  • OSVDB: FIN

    [This was originally published on the OSVDB blog.] As of today, a decision has been made to shut down the Open Sourced Vulnerability Database (OSVDB), and will not return. We are not looking for anyone to offer assistance at this point, and it will not be resurrected in its previous form. This was not an…

  • MITRE’ Horrible New CVE ID Scheme and Spindoctoring

    [This was originally published on the OSVDB blog.] Today, The Register wrote an article on MITRE’s announcement of a new CVE ID scheme, and got many things wrong about the situation. As I began to write out the errata in an email, someone asked that I make it public so they could learn from the…

  • Ruminations on David Weinstein’s “Ruminations on App CVEs”

    [This was originally published on the OSVDB blog.] David Weinstein, a researcher at NowSecure, has posted a blog titled “Ruminations on App CVEs“. Thanks to Will Dormann’s Tweet it came to our attention, and he is correct! We have opinions on this. Quoted material below is from Weinstein’s blog unless otherwise attributed. CVE is well-positioned…

  • A quick, factual reminder on the value and reality of a “EULA”… (aka MADness)

    [This was originally published on the OSVDB blog.] This post is in response to the drama the last few days, where Mary Ann Davidson posted an inflammatory blog about security researchers that send Oracle vulnerabilities while violating their End-user License Agreement (EULA… that thing you click without reading for every piece of software you install).…

  • A Note on the Verizon DBIR 2015, “Incident Counting”, and VDBs

    [This was originally published on the OSVDB blog.] Recently, the Verizon 2015 Data Breach Investigations Report (DBIR) was released to much fanfare as usual, prompting a variety of media outlets to analyze the analysis. A few days after the release, I caught a Tweet linking to a blog from Rory McCune that challenged one aspect…

  • Reviewing the Secunia 2015 Vulnerability Review (A Redux)

    It’s that time of year again! Vulnerability databases whip up reports touting statistics and observations based on their last year of collecting data. It’s understandable, especially for a commercial database, to show why your data source is the best. In the past, we haven’t had a strong desire to whip up a flashy PDF with…

  • Vendors sure like to wave the “coordination” flag… (revisiting the ‘perfect storm’)

    [This was originally published on the OSVDB blog.] I’ve written about coordinated disclosure and the debate around it many times in the past. I like to think that I do so in a way that is above and beyond the usual old debate. This is another blog dedicated to an aspect of “coordinated” disclosure that…