Tag: Vulnerabilities

Vulnerability Forecasting Technical Colloquium – A Few Thoughts

[I wrote this on September 21st, but apparently forgot to ultimately move from GDoc to Blog. I suspect because it really needs to be cleaned up as it is my first draft. Rather than do that, since the event has passed, I will just backdate instead. This blog was actually published December 28, 2024.] Part…

September 21, 2024
Almost Zero Value in “Zero Progress on Zero-Days”; a Rebuttal

The following blog is general comments and a rebuttal of sorts to the following paper: “Zero Progress on Zero-Days: How the Last Ten Years Created the Modern Spyware Market” by Mailyn Fidler, Assistant Professor, University of New Hampshire, Franklin Pierce School of Law [Link] Unfortunately, I can’t easily cut and paste from this PDF which…

June 3, 2024
GVD Discussion – Round Two

Tom Alrich published a blog titled “The Global Vulnerability Database won’t be a “database” at all” on November 10, 2023. In the blog Tom lays out some ideas for how this “database” would operate and the advantages he sees. I didn’t see this blog until early May and posted my “Thoughts on Tom Alrich’s “Global…

May 31, 2024
The Linux CNA – Red Flags Since 2022

[2/28/2024 Update: A bit more info added at end regarding “almost any bug might exploitable“.] MITRE announced that The Linux Kernel Organization (Kernel.org, hereafter referred to as ‘Linux’) was officially a CVE Numbering Authority (CNA) on February 13, 2024 and via the CVE web site, that their advisories would be posted here. That means they…

February 26, 2024
No one will burn a zero day on you…?

For at least two decades, a common mantra in the Information Security industry is that “no one will burn a zero day on you!” This is typically said to a person, often someone that comes across as overly paranoid, or perhaps a small hobby website. This term refers to zero day vulnerabilities, ones that are…

February 3, 2024
Techstrong TV Appearance on Vulnerabilities

On December 21, 2023, I was a guest on the Techstrong.tv podcast hosted by Alan Shimel. The topic was finding and identifying hidden vulnerabilities. The show summary: Flashpoint has found/identified more than 100,000 hidden vulnerabilities beyond what CVE reports. Brian Martin and Alan discuss the company’s breakthrough.

December 21, 2023
That Vulnerability is “Trending” … a Redux

A couple weeks ago I published a blog titled “That Vulnerability is ‘Trending’ … So What?“. I didn’t think I would be publishing another on this topic, especially this fast. But I ran into another absurd case of a vulnerability “trending” and figured out why, which is even more ridiculous. I caused this… A CVE…

March 11, 2023
Will the Real 300,000 Stand Up?

On September 27, 2022, Flashpoint’s VulnDB hit the 300,000th entry added to the database. Think about that and .. wow. I started the adventure of collecting vulnerabilities around 1993, back when it was all flat text files, and my hacker group used a FILES.BBS file as an index, pointing to many hundreds of other text…

November 24, 2022
security@ Is a Two-way Street

More and more companies are embracing the benefits of maintaining a dedicated security team to not only help manage internal processes such as a systems development life cycle (SDLC) that may focus on security, but to also manage vulnerability reports from external parties. Some companies choose to implement bug bounty programs, and some do not.…

September 2, 2022
Microsoft SIR and Vulnerability Statistics

[I wrote this for my day job back in February, 2017, but it never got posted. Including it here for reference.] The notion of expertise in any field is fascinating. It crosses so many aspects of humans and our perception. For example, two people in the same discipline, each with the highest honors academic can…

September 1, 2022