Tag: Pedantic

  • Captain Obvious Audits the NVD

    Captain Obvious Audits the NVD

    During my recent trip to the East Coast several people linked an article from Recorded Future to me since it was on a topic I have written extensively about. The article covered a May 26 report from the Office of the Inspector General (OIG) at the Department of Commerce that was summarized as “mistakes have…

  • Security Software: Holding the Vault Door Open for Criminals

    Security Software: Holding the Vault Door Open for Criminals

    I have been consistently tracking a fun metric around vulnerabilities since March 19, 2024. Before that I would occasionally mention it during talks or chat, but I don’t think I formally blogged about it before this and didn’t track the exact number. So here we are to discuss the prevalence of vulnerabilities in security software,…

  • Who Reads Mega-advisories? No one! (Almost)

    Who Reads Mega-advisories? No one! (Almost)

    Vulnerability disclosure analysts are long familiar with so-called “mega advisories”, ones that typically come from vendors and often for products that ship appliances using hundreds of libraries or products with an entire operating system included. Such advisories can literally represent over 500 vulnerabilities in one shot. I’ll try to make this a bit fun! Disclaimer:…

  • GVD Discussion – Round Two

    GVD Discussion – Round Two

    Tom Alrich published a blog titled “The Global Vulnerability Database won’t be a “database” at all” on November 10, 2023. In the blog Tom lays out some ideas for how this “database” would operate and the advantages he sees. I didn’t see this blog until early May and posted my “Thoughts on Tom Alrich’s “Global…

  • Thoughts on Tom Alrich’s “Global Vulnerability Database”

    Thoughts on Tom Alrich’s “Global Vulnerability Database”

    Tom Alrich published a blog last year titled “The Global Vulnerability Database won’t be a “database” at all“. It is basically his outline for how to make an international database that many can contribute to, to replace the inadequate CVE / NVD database. He said he welcomes any comments and when it comes to vulnerability…

  • Will the Real 300,000 Stand Up?

    Will the Real 300,000 Stand Up?

    On September 27, 2022, Flashpoint’s VulnDB hit the 300,000th entry added to the database. Think about that and .. wow. I started the adventure of collecting vulnerabilities around 1993, back when it was all flat text files, and my hacker group used a FILES.BBS file as an index, pointing to many hundreds of other text…

  • Rebuttal: A blended look at what makes the CVE program try to tick

    Rebuttal: A blended look at what makes the CVE program try to tick

    A few days ago, Tod Beardsley published an article on SC Magazine titled “An inside look at what makes the CVE Program tick“. Overall the article is well-written and offers some insights into MITRE, CVE, and their “CNA” program or CVE Numbering Authorities. Beardsley does a good job enumerating some basics about the program, the…

  • The Rundown: CVE IDs & REJECT Status

    The Rundown: CVE IDs & REJECT Status

    For analysts and practitioners that digest CVE regularly, you will likely be familiar with CVEs that are in REJECT status. If you are new to CVE or not familiar with some of the more gritty details, a CVE assignment may be rejected for various reasons. When that happens, it will receive a capitalized REJECT status:…

  • CVE and the matter of “unique” ID numbers

    CVE and the matter of “unique” ID numbers

    Common Vulnerability Enumeration, now known as Common Vulnerabilities and Exposures (CVE) is a vulnerability database (ignore their silly claim to be a ‘dictionary’) that the information security industry relies on heavily, unfortunately. Per MITRE’s CVE page, “CVE® is a list of entries—each containing an identification number, a description, and at least one public reference—for publicly…

  • Advisories != Vulnerabilities, and How It Affects Statistics

    [This was originally published on the OSVDB blog.] I’ve written about the various problems with generating vulnerability statistics in the past. There are countless factors that contribute to, or skew vulnerability stats. This is an ongoing problem for many reasons. First, important numbers are thrown around in the media and taken as gospel, creating varying…