@attritionorg / tumblr.attrition.org
As many in the vulnerability disclosure ecosystem are now aware, the Cybersecurity & Infrastructure Security Agency (CISA), announced a new program called “Vulnrichment” on LinkedIn yesterday. News about the program spread rapidly via news sites and private companies. In this statement and elsewhere, there are definitely some general questions to be asked out loud since the program is so new. For…
Tom Alrich published a blog last year titled “The Global Vulnerability Database won’t be a “database” at all“. It is basically his outline for how to make an international database that many can contribute to, to replace the inadequate CVE / NVD database. He said he welcomes any comments and when it comes to vulnerability databases (VDBs), that’s my jam. Buckle up, this may be a long one. Note…
I know, “don’t kick someone when they are down“, but I have a history of working on a project that catalogs just such incidents. Yesterday, MITRE announced that they had been compromised by a nation-state actor, but didn’t provide much detail. Bleeping Computer reported that the compromise was due to a zero-day vulnerabilities in an Ivanti VPN product (CVE-2023-46805 / CVE-2024-21887). Like MITRE…
On March 27, Elizabeth Cardona and Tod Beardsley gave a presentation at VulnCon 2024 about CISA’s KEV, or ‘Known Exploited Vulnerabilities’ list. This initiative was created as a result of BOD 22-01, which is a ‘Binding Operational Directive’ aimed at reducing the risk due to vulnerabilities that are known to be exploited in the wild, and that may impact federal, executive branch, departments and…
Yesterday, at the first inaugural VulnCon, Tanya Brewer from the NVD gave a presentation that was listed on the agenda as “NVD Symposium”. At the talk, her slides began with a header “The National Vulnerability Database: Exploring Opportunities”. However, neither were the primary topic that most people were interested in. Fortunately for the crowd Tanya, the NVD Program Manager for the last four…
MITRE announced that The Linux Kernel Organization (Kernel.org, hereafter referred to as ‘Linux’) was officially a CNA on February 13, 2024 and via the CVE web site, that their advisories would be posted here. Several prominent members in the industry have already voiced concerns about this including Chompie, Ian Coldwater, Brad Spengler, and Katie Moussouris. All of them, and more, are exactly…
[Update: Even before I publish this, I want to keep everything I wrote for now. But I believe this rebuttal is in response to trash written by SpiceWorks and a GPT.] The world of vulnerability disclosures is growing fast, for a variety of reasons I won’t get into. Suffice it to say my time is limited. So a quick rebuttal to an article on Spiceworks titled “What Are Common Vulnerabilities and…
On Saturday night, I went to my first concert in … a long time, maybe a decade? In fact, someone asked me when the last concert I went to was and it sent me down a rabbit hole because apparently I didn’t start using Google Calendar until much later than I remembered. After digging through emails, prior concert reviews, and a really poor memory, I put together that list. Then I remembered I keep…
Folks in the Information Security (InfoSec) circles are getting old. It is evident from the last few years and seeing those we know, in some capacity, passing on. For many of us still here, we find ourselves battling a world of conditions ranging from the relatively simple high blood pressure, to the more complicated like diabetes. That doesn’t even speak to the separate issues like so many in…
A couple weeks ago I published a blog titled “That Vulnerability is ‘Trending’ … So What?“. I didn’t think I would be publishing another on this topic, especially this fast. But I ran into another absurd case of a vulnerability “trending” and figured out why, which is even more ridiculous. I caused this… A CVE came across one of our feeds that monitors Twitter for mentions of a CVE ID that isn’t…
Yesterday, more than one organization reached out to my company asking why a particular vulnerability wasn’t in VulnDB yet. First, it had been less than 24 hours since publication in CVE/NVD, NVD hasn’t analyzed it as of the time of this blog, and it is in software no significant business would use. It’s part of a pattern of vulnerabilities being disclosed in low-end personal PHP projects, most…
Rebuttal? Not really… Comments on Curphey’s Latest Blog
I went into a LinkedIn post expecting to have to buy a new box of red sharpies to be honest, but I am pleasantly surprised at the conclusions regarding CVE / NVD, which I think are largely accurate. As grim a picture as is painted, they are still a bit too generous. I say that as someone who reads, quite literally, every new CVE published and have for coming up on 20 years. Pretty sure no one at…
Will the Real 300,000 Stand Up?
On September 27, 2022, Flashpoint’s VulnDB hit the 300,000th entry added to the database. Think about that and .. wow. I started the adventure of collecting vulnerabilities around 1993, back when it was all flat text files, and my hacker group used a FILES.BBS file as an index, pointing to many hundreds of other text files, each with one vulnerability. At the time our collection was impressive;…
security@ Is a Two-way Street
More and more companies are embracing the benefits of maintaining a dedicated security team to not only help manage internal processes such as a systems development life cycle (SDLC) that may focus on security, but to also manage vulnerability reports from external parties. Some companies choose to implement bug bounty programs, and some do not. The manner in which they implement such programs,…
