Tag: Vulnerability Disclosure

  • Rebuttal? Not really… Comments on Curphey’s Latest Blog

    Rebuttal? Not really… Comments on Curphey’s Latest Blog

    I went into a LinkedIn post expecting to have to buy a new box of red sharpies to be honest, but I am pleasantly surprised at the conclusions regarding CVE / NVD, which I think are largely accurate. As grim a picture as is painted, they are still a bit too generous. I say that […]

  • Let’s Talk About 0-days

    Let’s Talk About 0-days

    [This was a first draft of an article to be published on the Flashpoint Threat Intel blog. Ultimately, parts of it were adopted for a different blog but the original remains considerably different. Curtis Kang contributed significantly to the finished blog below.] Zero-days (0-days and other variations) are exploitable vulnerabilities that the general public is […]

  • Rebuttal: Skeletons in the Closet

    Rebuttal: Skeletons in the Closet

    On April 22, 2022, Nate Warfield of Prevailion published an article on Threatpost on the topic of zero days. I’m a little late to this article, but because this horse still has some life in it apparently, I feel obligated to once again point out how the term ‘zero day’ has basically lost all meaning. […]

  • Rebuttal: How to avoid headaches when publishing a CVE

    Rebuttal: How to avoid headaches when publishing a CVE

    On May 12, 2022, Adeeb Shah published an article on Help Net Security titled “How to avoid headaches when publishing a CVE”. Shah is a Senior Security Consultant with SpiderLabs, part of Trustwave. Note that it also appears on Trustwave’s blog and includes a second name in the byline, Bobby Cooke. For the sake of […]

  • Log4Shell: Redefining Painful Disclosure

    Log4Shell: Redefining Painful Disclosure

    Log4Shell is yet another example of why we simply don’t get security right, and it strongly suggests there is little hope for change. There are plenty of blogs and articles that do a great analysis of the vulnerability from the exploitation and impact angle of this vulnerability. There are a lot fewer that examine why […]

  • Privasec’s Ridiculous Claim of a “World Record” in Vulnerability Disclosure

    Privasec’s Ridiculous Claim of a “World Record” in Vulnerability Disclosure

    On May 9, 2019, Privasec published an odd press release with a URL slug of “privasec-queensland-telstra-acquisition” but a title of “Privasec Red’s Consultant Breaks World Record By Disclosing Most Number Of Open-Source CVEs.” This claim is simply wrong. To believe it requires either a complete understanding of the vulnerability disclosure landscape or intent to deceive. […]

  • Perlroth, Miller, and the First Remote iPhone Vuln

    In what is sure to be my last blog (?!) born out of reading “This Is How They Tell Me The World Ends” by Nicole Perlroth, this article is basically a quick dive into a single paragraph that contains one sentence with an alleged fact pertaining to vulnerability history. As a self-described Vulnerability Historian, this […]

  • Down The Vulnerability Rabbit Hole

    [This was originally published on RiskBasedSecurity.com.] In a recent article, The Importance of a Living Database, we detailed why it is important to revisit entries as new information comes to light. Like the times, vulnerabilities are a-changin’. We’ve been known to revisit a vulnerability record over 1,200 times, which may seem excessive, and some may […]

  • Zero-days: Two Questions from Perlroth

    I am currently reading “This Is How They Tell Me The World Ends” by Nicole Perlroth, only on page 17 in Chapter 2, so a long ways to go before completing the 471 page tome. While only 17 pages in, there are already some annoyances to be sure, but the tone, scope, and feel of […]

  • Commentary on Radware’s Top Web Exploits of 2020

    At the close of each year we see at least one article covering the top vulnerabilities / exploits from the prior year. This is usually written on the back of having large detection networks across the Internet that get a comprehensive view of exploitation. It’s a great way to get real intelligence for criminal hacking […]