@jeremiahg Yeah, either interpretation would have a pretty useful answer IMO, so I'm curious which it ends up being. Subscribed.

@jeremiahg Oh, I see. Said differently: An even smaller subset of of vulns that appear in KVEs actually result in claims. This is what the correct suggestion is, right? Where my mind went, was that certain CVEs caused claims that were not present in KVE, which is not what you meant

@jeremiahg Clarifying question: This suggests some amount of CVE's with observed ITW exploitation that are not also formally accounted for in KEV data?

Ramping up on bluesky 🦋:

RT @cryps1s: I'm thrilled to announce that I've joined as CISO, alongside @embeddedsec, at @OpenAI. Security is germane to OpenAI's missio…

In the wild exploit in Firefox, disclosed and fixed within 25 hours.

My "Starting Up Security" writing correlates to my caffeine intake which has dropped off over the last few years. Today I got tricked into an actual coffee, so drafts are open. Taking any requests, just DM ☕️

RT @clintgibler: “Detection is a problem I describe as deceptively tractable.” @Magoo on 🔍 Prioritizing Detection Engineering Proposed i…

@ErrataRob @lcamtuf Seems less likely that an interdiction added explosives and relied on a known vuln to trigger it. More likely, while introducing explosives, introduced a trigger at the same time so it could be triggered at a more predictable time. Was it additional hardware, or malware?

I wrote about how detection engineering should be prioritized in a security program. Feedback and discussion welcome!

The boring security management stuff. 🤣 Managing a quarterly security review: Feedback welcome as usual.

Should CVE-2024-38063 be more widely discussed? It's a zero click IPv6 RCE (????). Am I just not reading this right? Normally there's a of panic about ITW exploitation, exposed hosts, and wormability for a vuln like this. I gotta be missing something.

RT @christinacaci: 1/ Thrilled to announce we’ve raised $150mm Series C at a $2.45bn post valuation led by @sequoia alongside our existing…

Offensive work, detection engineering, and compliance are especially common sources of painful imbalances. Easy to argue to include others too. My written commentary has mostly been on negative imbalances, but they can be framed positively too.