Blog Posts

Probably Don’t Rely on EPSS Yet

This post evaluates the pros and cons of the Exploit Prediction Scoring System (EPSS), a data-driven model designed to estimate the probability that software vulnerabilities will be exploited in practice.

Read More

June 6, 2022 • By Jonathan Spring

In CERT/CC Vulnerabilities

CERT/CC Comments on Standards and Guidelines to Enhance Software Supply Chain Security

Art Manion, Eric Hatleback, Allen Householder, Jonathan Spring, and Laurie Tyzenhaus, recently submitted comments to the National Institute of Standards and Technology (NIST), which is seeking positions related to executive …

Read More

June 1, 2021 • By Jonathan Spring

In CERT/CC Vulnerabilities

Adversarial ML Threat Matrix: Adversarial Tactics, Techniques, and Common Knowledge of Machine Learning

My colleagues, Nathan VanHoudnos, April Galyardt, Allen Householder, and I would like you to know that today Microsoft and MITRE are releasing their Adversarial Machine Learning Threat Matrix. This is …

Read More

October 22, 2020 • By Jonathan Spring

In CERT/CC Vulnerabilities

Comments on NIST IR 8269: A Taxonomy and Terminology of Adversarial Machine Learning

The U.S. National Institute of Standards and Technology (NIST) recently held a public comment period on their draft report on proposed taxonomy and terminology of Adversarial Machine Learning (AML)....

Read More

February 13, 2020 • By Jonathan Spring

In CERT/CC Vulnerabilities

Machine Learning in Cybersecurity

Our technical report provides an overview of the relevant parts of an ML lifecycle--selecting the right problem, the right data, and the right math and summarizing the model output for …

Read More

December 1, 2019 • By Jonathan Spring

In CERT/CC Vulnerabilities

Comments on Voluntary Voting System Guidelines 2.0 Principles and Guidelines

The U.S. Election Assistance Commission recently held a public comment period on their Voluntary Voting System Guidelines 2.0 Principles and Guidelines....

Read More

June 13, 2019 • By Allen Householder, Deana Shick, Jonathan Spring, Art Manion

In CERT/CC Vulnerabilities

Domain Blacklist Ecosystem - A Case Study

Hi all, this is Jonathan Spring with my colleagues Leigh Metcalf and Rhiannon Weaver. We've been studying the dynamics of the Internet blacklist ecosystem....

Read More

June 17, 2015 • By Jonathan Spring, Leigh Metcalf

In CERT/CC Vulnerabilities

Blacklist Ecosystem Analysis

Hi all. Leigh Metcalf and I have been continuing our study of the cybersecurity ecosystem. Last year we published a long white paper....

Read More

January 6, 2015 • By Jonathan Spring, Leigh Metcalf

In CERT/CC Vulnerabilities

Domain Name Parking

Hello, this is Jonathan Spring with my colleague Leigh Metcalf. Today, we're releasing a CERT/CC whitepaper on our investigations into domain name parking....

Read More

December 11, 2014 • By Jonathan Spring, Leigh Metcalf

In CERT/CC Vulnerabilities

Domain Blocking: The Problem of a Googol of Domains

Hi all, this is Jonathan Spring. I've written a bit about some challenges with blacklisting, such as about the dynamics of domain take-down....

Read More

October 22, 2014 • By Jonathan Spring

In CERT/CC Vulnerabilities