Tag: Vulnerability Tourists
-
Miggo, KEV, and FUD; They Still Don’t Get It
[If the name ‘Miggo’ is familiar to you in the context of my blogging, you are thinking about one I wrote titled “Miggo Securityโs AI Slop & Potential Trademark Infringement” in July, 2025. That was more around ‘corporate’ culture and bad lawyering. This blog is different, pointing out how they don’t seem to understand KEV…
-
It’s 2024 and Netscout Doesn’t Understand CVE
[Quick update! This was titled ‘2026’, but Josh Bressers pointed out I missed that Netscout’s blog is from 2024. It came up a few days on a Google Alert so I mistakenly assumed it was a new blog. I have updated the title, but the URL slug will still say 2026. Either way, I think…
-
2024 and Some Still Don’t Understand the CVE Ecosystem
[Update: Even before I publish this, I want to keep everything I wrote for now. But I believe this rebuttal is in response to trash written by SpiceWorks and a GPT.] The world of vulnerability disclosures is growing fast, for a variety of reasons I won’t get into. Suffice it to say my time is…
-
Rebuttal: How to avoid headaches when publishing a CVE
On May 12, 2022, Adeeb Shah published an article on Help Net Security titled “How to avoid headaches when publishing a CVE”. Shah is a Senior Security Consultant with SpiderLabs, part of Trustwave. Note that it also appears on Trustwave’s blog and includes a second name in the byline, Bobby Cooke. For the sake of…
-
Redscan’s Curious Comments About Vulnerabilities
As a connoisseur of vulnerability disclosures and avid vulnerability collector, I am always interested in analysis of the disclosure landscape. That typically comes in the form of reports that analyze a data set (e.g. CVE/NVD) and draw conclusions. This seems straight-forward but it isn’t. I have written about the varied problems with such analysis many…
-
Why Anaconda INC Doesn’t Fully Understand CVEs
It’s worrisome that in 2020 we still have people in influential technical roles that don’t understand CVE. A friend told me earlier this year he was in a meeting where someone said that CVE IDs are assigned in order, so CVE-2020-9500 meant there were 9500 vulns in 2020 so far. Of course that is not…
-
Before you publish your end-of-year vulnerability statistics…
TL;DR – The CVE dataset does not allow you to determine how many vulnerabilities were disclosed in 2017. I’ll try to keep this fairly short and to the point, but who am I kidding? Every year for a decade or more, we see the same thing over and over: companies that do not track or…
-
A Note on the Verizon DBIR 2016 Vulnerabilities Claims
[This was originally published on the OSVDB blog.] [Updated 4/28/2016] Verizon released their yearly Data Breach Investigations Report (DBIR) and it wasn’t too long before I started getting asked about their “Vulnerabilities” section (page 13). After bringing up some highly questionable points about last year’s report regarding vulnerabilities, several people felt that the report did…
-
Reviewing the Secunia 2015 Vulnerability Review (A Redux)
It’s that time of year again! Vulnerability databases whip up reports touting statistics and observations based on their last year of collecting data. It’s understandable, especially for a commercial database, to show why your data source is the best. In the past, we haven’t had a strong desire to whip up a flashy PDF with…
-
Reviewing the Secunia 2013 Vulnerability Review
[This was originally published on the OSVDB blog.] On February 26, Secunia released their annual vulnerability report (link to report PDF) summarizing the computer security vulnerabilities they had cataloged over the 2013 calendar year. For those not familiar with their vulnerability database (VDB), we consider them a ‘specialty’ VDB rather than a ‘comprehensive’ VDB (e.g.…