Why CVEs Are an Incentives Problem

May 29, 2024 at 10:03AM The book “Freakonomics” applies economic principles to social phenomena, emphasizing the impact of incentives on decision-making. The rising number of reported software vulnerabilities (CVEs) raises concerns about the cybersecurity ecosystem and the incentive structure influencing vulnerability reporting. Issues include gaming the system for recognition, lack of accountability in submissions, and … Read more

CISA Announces CVE Enrichment Project ‘Vulnrichment’

May 9, 2024 at 08:57AM The US cybersecurity agency, CISA, has launched the Vulnrichment project to enhance CVE records with CPE, CVSS, CWE, and KEV data. The project aims to prioritize remediation efforts, spot trends, and prompt vendors to address entire classes of vulnerabilities. CISA has enriched 1,300 CVEs and encourages all CNAs to offer … Read more

CVE and NVD – A Weak and Fractured Source of Vulnerability Truth

April 3, 2024 at 10:12AM The Common Vulnerabilities and Exposures (CVE) List managed by MITRE and the National Vulnerability Database (NVD) overseen by NIST are no longer considered a single reliable source of vulnerability information. Challenges include missing vulnerabilities, false positives, and resource limitations. NIST, acknowledging the backlog, is seeking a consortium to improve vulnerability … Read more

VMware Alert: Uninstall EAP Now – Critical Flaw Puts Active Directory at Risk

February 21, 2024 at 01:15AM VMware has reported critical security flaws in the Enhanced Authentication Plugin (EAP), urging users to uninstall it. The vulnerability enables a malicious actor to manipulate service tickets and hijack sessions. Additionally, SonarSource disclosed cross-site scripting flaws in Joomla!. Salesforce’s Apex programming language also faces high-severity vulnerabilities. Users are advised to … Read more

CVSS 4.0 Offers Significantly More Patching Context

November 7, 2023 at 03:52PM The latest version of the Common Vulnerability Scoring System (CVSS version 4.0) allows organizations to assess and manage the risk posed by security bugs more effectively. It introduces new metrics that enable a dynamic and context-sensitive evaluation of vulnerabilities. CVSS 4.0 provides a more tailored risk management approach and allows … Read more