Tag: Vulnerability Disclosure
-
That Vulnerability is “Trending” … a Redux
A couple weeks ago I published a blog titled “That Vulnerability is ‘Trending’ … So What?“. I didn’t think I would be publishing another on this topic, especially this fast. But I ran into another absurd case of a vulnerability “trending” and figured out why, which is even more ridiculous. I caused this… A CVE…
-
That Vulnerability is “Trending” … So What?
Yesterday, more than one organization reached out to my company asking why a particular vulnerability wasn’t in VulnDB yet. First, it had been less than 24 hours since publication in CVE/NVD, NVD hasn’t analyzed it as of the time of this blog, and it is in software no significant business would use. It’s part of…
-
Rebuttal? Not really… Comments on Curphey’s Latest Blog
I went into a LinkedIn post expecting to have to buy a new box of red sharpies to be honest, but I am pleasantly surprised at the conclusions regarding CVE / NVD, which I think are largely accurate. As grim a picture as is painted, they are still a bit too generous. I say that…
-
Let’s Talk About 0-days
[This was a first draft of an article to be published on the Flashpoint Threat Intel blog. Ultimately, parts of it were adopted for a different blog but the original remains considerably different. Curtis Kang contributed significantly to the finished blog below.] Zero-days (0-days and other variations) are exploitable vulnerabilities that the general public is…
-
Rebuttal: Skeletons in the Closet
On April 22, 2022, Nate Warfield of Prevailion published an article on Threatpost on the topic of zero days. I’m a little late to this article, but because this horse still has some life in it apparently, I feel obligated to once again point out how the term ‘zero day’ has basically lost all meaning.…
-
Rebuttal: How to avoid headaches when publishing a CVE
On May 12, 2022, Adeeb Shah published an article on Help Net Security titled “How to avoid headaches when publishing a CVE”. Shah is a Senior Security Consultant with SpiderLabs, part of Trustwave. Note that it also appears on Trustwave’s blog and includes a second name in the byline, Bobby Cooke. For the sake of…
-
Log4Shell: Redefining Painful Disclosure
Log4Shell is yet another example of why we simply don’t get security right, and it strongly suggests there is little hope for change. There are plenty of blogs and articles that do a great analysis of the vulnerability from the exploitation and impact angle of this vulnerability. There are a lot fewer that examine why…
-
Privasec’s Ridiculous Claim of a “World Record” in Vulnerability Disclosure
On May 9, 2019, Privasec published an odd press release with a URL slug of “privasec-queensland-telstra-acquisition” but a title of “Privasec Red’s Consultant Breaks World Record By Disclosing Most Number Of Open-Source CVEs.” This claim is simply wrong. To believe it requires either a complete understanding of the vulnerability disclosure landscape or intent to deceive.…
-
Perlroth, Miller, and the First Remote iPhone Vuln
In what is sure to be my last blog (?!) born out of reading “This Is How They Tell Me The World Ends” by Nicole Perlroth, this article is basically a quick dive into a single paragraph that contains one sentence with an alleged fact pertaining to vulnerability history. As a self-described Vulnerability Historian, this…
-
Down The Vulnerability Rabbit Hole
[This was originally published on RiskBasedSecurity.com.] In a recent article, The Importance of a Living Database, we detailed why it is important to revisit entries as new information comes to light. Like the times, vulnerabilities are a-changin’. We’ve been known to revisit a vulnerability record over 1,200 times, which may seem excessive, and some may…