Tag: Vulnerability Databases
-
GVD Discussion – Round Two
Tom Alrich published a blog titled “The Global Vulnerability Database wonโt be a โdatabaseโ at all” on November 10, 2023. In the blog Tom lays out some ideas for how this “database” would operate and the advantages he sees. I didn’t see this blog until early May and posted my “Thoughts on Tom Alrichโs โGlobal…
-
Thoughts on Tom Alrich’s “Global Vulnerability Database”
Tom Alrich published a blog last year titled “The Global Vulnerability Database wonโt be a โdatabaseโ at all“. It is basically his outline for how to make an international database that many can contribute to, to replace the inadequate CVE / NVD database. He said he welcomes any comments and when it comes to vulnerability…
-
VulnCon: NVD Symposium, Answers, and More Concerns
Yesterday, at the first inaugural VulnCon, Tanya Brewer from the NVD gave a presentation that was listed on the agenda as “NVD Symposium”. At the talk, her slides began with a header “The National Vulnerability Database: Exploring Opportunities”. However, neither the symposium nor the opportunities were the primary topics that most people were interested in.…
-
2024 and Some Still Don’t Understand the CVE Ecosystem
[Update: Even before I publish this, I want to keep everything I wrote for now. But I believe this rebuttal is in response to trash written by SpiceWorks and a GPT.] The world of vulnerability disclosures is growing fast, for a variety of reasons I won’t get into. Suffice it to say my time is…
-
That Vulnerability is “Trending” โฆ a Redux
A couple weeks ago I published a blog titled “That Vulnerability is ‘Trending’ โฆ So What?“. I didn’t think I would be publishing another on this topic, especially this fast. But I ran into another absurd case of a vulnerability “trending” and figured out why, which is even more ridiculous. I caused this… A CVE…
-
Rebuttal? Not really… Comments on Curphey’s Latest Blog
I went into a LinkedIn post expecting to have to buy a new box of red sharpies to be honest, but I am pleasantly surprised at the conclusions regarding CVE / NVD, which I think are largely accurate. As grim a picture as is painted, they are still a bit too generous. I say that…
-
Will the Real 300,000 Stand Up?
On September 27, 2022, Flashpoint’s VulnDB hit the 300,000th entry added to the database. Think about that and .. wow. I started the adventure of collecting vulnerabilities around 1993, back when it was all flat text files, and my hacker group used a FILES.BBS file as an index, pointing to many hundreds of other text…
-
Log4Shell: Redefining Painful Disclosure
Log4Shell is yet another example of why we simply don’t get security right, and it strongly suggests there is little hope for change. There are plenty of blogs and articles that do a great analysis of the vulnerability from the exploitation and impact angle of this vulnerability. There are a lot fewer that examine why…
-
Reflections on “CVE Approach for Cloud Vulnerabilities”
At Black Hat Briefings USA this week, Ami Luttwak and Shir Tamari called for a “CVE” style approach to documenting vulnerabilities that affect cloud offerings (note: I have not seen the talk). As one of two people (the other being Jake Kouns) that may have the longest history in this specific space, I wanted to…
-
Redscan’s Curious Comments About Vulnerabilities
As a connoisseur of vulnerability disclosures and avid vulnerability collector, I am always interested in analysis of the disclosure landscape. That typically comes in the form of reports that analyze a data set (e.g. CVE/NVD) and draw conclusions. This seems straight-forward but it isn’t. I have written about the varied problems with such analysis many…