Tag: Vulnerability Databases

  • Rebuttal? Not really… Comments on Curphey’s Latest Blog

    Rebuttal? Not really… Comments on Curphey’s Latest Blog

    I went into a LinkedIn post expecting to have to buy a new box of red sharpies to be honest, but I am pleasantly surprised at the conclusions regarding CVE / NVD, which I think are largely accurate. As grim a picture as is painted, they are still a bit too generous. I say that […]

  • Will the Real 300,000 Stand Up?

    Will the Real 300,000 Stand Up?

    On September 27, 2022, Flashpoint’s VulnDB hit the 300,000th entry added to the database. Think about that and .. wow. I started the adventure of collecting vulnerabilities around 1993, back when it was all flat text files, and my hacker group used a FILES.BBS file as an index, pointing to many hundreds of other text […]

  • Log4Shell: Redefining Painful Disclosure

    Log4Shell: Redefining Painful Disclosure

    Log4Shell is yet another example of why we simply don’t get security right, and it strongly suggests there is little hope for change. There are plenty of blogs and articles that do a great analysis of the vulnerability from the exploitation and impact angle of this vulnerability. There are a lot fewer that examine why […]

  • Reflections on “CVE Approach for Cloud Vulnerabilities”

    At Black Hat Briefings USA this week, Ami Luttwak and Shir Tamari called for a “CVE” style approach to documenting vulnerabilities that affect cloud offerings (note: I have not seen the talk). As one of two people (the other being Jake Kouns) that may have the longest history in this specific space, I wanted to […]

  • Redscan’s Curious Comments About Vulnerabilities

    As a connoisseur of vulnerability disclosures and avid vulnerability collector, I am always interested in analysis of the disclosure landscape. That typically comes in the form of reports that analyze a data set (e.g. CVE/NVD) and draw conclusions. This seems straight-forward but it isn’t. I have written about the varied problems with such analysis many […]

  • The Value of Backfilling

    [This was originally published on RiskBasedSecurity.com.] In every quarterly Vulnerability QuickView Report, we include a chart that shows how many vulnerabilities were disclosed so far that year, along with the most current counts of prior periods to show relative growth and decline.  In some cases, like this year’s Q1, that chart shows a decline compared […]

  • Commentary on Radware’s Top Web Exploits of 2020

    At the close of each year we see at least one article covering the top vulnerabilities / exploits from the prior year. This is usually written on the back of having large detection networks across the Internet that get a comprehensive view of exploitation. It’s a great way to get real intelligence for criminal hacking […]

  • Not all CVEs are Created Equal. Or even valid…

    [I wrote this early 2019 and it was scheduled for January 7 but it apparently did not actually publish and then got lost in my excessive drafts list. I touched it up this week to publish because the example that triggered this blog is old but the response is evergreen. Apologies for the long delay!] […]

  • Thoughts on 0-days and Risk in 2020

    [Stupid WordPress. This was scheduled to publish Nov 23 but didn’t for some reason. Here it is, a bit late…] On Friday, Maddie Stone from the Google P0 team Tweeted about the 0-day exploits her team tracks. As someone who checks that sheet weekly and tracks vulnerabilities, including ones ‘discovered in the wild’, this is […]

  • Vulnerability Counts Are a Moving Target

    At the end of each year, we see articles covering how many vulnerabilities were disclosed the prior year. Because the articles are written about the same time of year, it gives a fairly good initial comparison from year to year; at least, on the surface. This is the foundation of statements such as “Security vulnerabilities […]