Vultron: A Protocol for Coordinated Vulnerability Disclosure

This post introduces Vultron, a protocol for multi-party coordinated vulnerability disclosure (MPCVD).

Read More

September 26, 2022 • By Allen Householder

In CERT/CC Vulnerabilities

UEFI – Terra Firma for Attackers

This blog post focuses on how the vulnerabilities in firmware popularized by the Uniform Extensible Firmware Interface create a lucrative target for high-profile attackers.

Read More

August 1, 2022 • By Vijay Sarvepalli

In CERT/CC Vulnerabilities

Probably Don’t Rely on EPSS Yet

This post evaluates the pros and cons of the Exploit Prediction Scoring System (EPSS), a data-driven model designed to estimate the probability that software vulnerabilities will be exploited in practice.

Read More

June 6, 2022 • By Jonathan Spring

In CERT/CC Vulnerabilities

The Latest Work from the SEI: Coordinated Vulnerability Disclosure, Cybersecurity Research, Cyber Risk and Resilience, and the Importance of Fostering Diversity in Software Engineering

This post highlights the latest work from the SEI in coordinated vulnerability disclosure, cyber risk and resilience management, automation, and the science of cybersecurity.

Read More

September 6, 2021 • By Douglas C. Schmidt

In CERT/CC Vulnerabilities

Vulnerabilities: Everybody’s Got One!

In this post, Leigh Metcalf describes how she pulled data from the malvuln project to explore recent vulnerabilities in both malware and non-malware to study the differences.

Read More

June 16, 2021 • By Leigh Metcalf

In CERT/CC Vulnerabilities

CERT/CC Comments on Standards and Guidelines to Enhance Software Supply Chain Security

Art Manion, Eric Hatleback, Allen Householder, Jonathan Spring, and Laurie Tyzenhaus, recently submitted comments to the National Institute of Standards and Technology (NIST), which is seeking positions related to executive …

Read More

June 1, 2021 • By Jonathan Spring

In CERT/CC Vulnerabilities

Cat and Mouse in the Age of .NET

Penetration testers have long exploited the PowerShell scripting language to gain a foothold in systems and execute an attack. Eventually, changes in the PowerShell landscape caused the toolsets to shift …

Read More

November 19, 2020 • By Brandon Marzik

In CERT/CC Vulnerabilities

Adversarial ML Threat Matrix: Adversarial Tactics, Techniques, and Common Knowledge of Machine Learning

My colleagues, Nathan VanHoudnos, April Galyardt, Allen Householder, and I would like you to know that today Microsoft and MITRE are releasing their Adversarial Machine Learning Threat Matrix. This is …

Read More

October 22, 2020 • By Jonathan Spring

In CERT/CC Vulnerabilities

Three Places to Start in Defending Against Ransomware

This blog post, the second of three dealing with ransomware and defending against it, covers three initial efforts that will make it more difficult for attackers and less costly to …

Read More

October 12, 2020 • By Tim Shimeall

In CERT/CC Vulnerabilities

Ransomware as a Service (RaaS) Threats

This blog post explores the economics behind why ransomware remains a top tool for cybercrime and presents the current active ransomware variants that utilize ransomware as a service (RaaS), a …

Read More

October 5, 2020 • By Marisa Midler

In CERT/CC Vulnerabilities