Monday, February 27, 2023

Is a vulnerability exploitable when it’s not exploitable?

In my last post , I described an important issue regarding VEX that hasn’t yet been discussed in any published document (but should be): the...
Sunday, February 19, 2023

How do you account for hacker skill level in VEX?

The informal group I formed last spring to discuss problems that are holding back widespread (or even narrowspread) distribution and use of ...
Tuesday, February 14, 2023

VEXual confusion reigns!

My previous post described how the proposed OpenVEX format doesn’t have the capability to address the most important VEX use case, since ...
Wednesday, February 8, 2023

OpenVEX

From Tom 9/20/2024: I noticed this post is suddenly getting a lot of views. I want to clarify what I said. Of the two problems I brought u...
Sunday, February 5, 2023

“None of our products is affected by the log4j vulnerabilities” and other fairy stories

The VEX working group is struggling with a document that makes a number of statements about what should be available in a VEX format (“sho...
Tuesday, January 31, 2023

300 million!

Note from Tom 4/27/2023: I haven't received any updates on these numbers since I wrote the post below, but it's safe to say that t...
Monday, January 30, 2023

Do we need regulations to have SBOMs?

In the SBOM Forum meeting last Friday, we had a lively discussion – nay, argument – on a question that frankly surprised me: Will it take ...