<div dir="ltr"><a href="https://www.riskbasedsecurity.com/2020/12/15/vulnerability-prioritization-and-disclosure-the-right-security/">https://www.riskbasedsecurity.com/2020/12/15/vulnerability-prioritization-and-disclosure-the-right-security/</a><div><br></div><div>Video Interview: <a href="https://youtu.be/o58wvnBqAyE">https://youtu.be/o58wvnBqAyE</a><br></div><div><br></div><div><div class="gmail-interior__content" style="box-sizing:inherit;min-height:1000px;max-width:600px;width:600px;padding-right:100px;padding-bottom:175px;color:rgb(64,64,64)"><div class="gmail-intro" style="box-sizing:inherit;margin-bottom:48px"><p style="box-sizing:inherit;margin-bottom:24px;color:rgb(116,118,131);margin-top:0px;line-height:28px"><font face="arial, sans-serif">Art Manion, Principal Engineer at the <a href="https://kb.cert.org/vuls/" target="_blank" rel="noreferrer noopener" style="box-sizing:inherit;background-color:transparent;color:rgb(60,80,255);text-decoration-line:none">CERT Coordination Center</a>, joins Jake Kouns, CEO and CISO at Risk Based Security to talk about vulnerability prioritization, CVSSv4, and how organizations can cope with the increasing number of <a rel="noreferrer noopener" href="https://pages.riskbasedsecurity.com/en/en/2020-q3-vulnerability-quickview-report" target="_blank" style="box-sizing:inherit;background-color:transparent;color:rgb(60,80,255);text-decoration-line:none">vulnerability disclosures</a>.</font></p><p style="box-sizing:inherit;margin-bottom:24px;color:rgb(116,118,131);margin-top:0px;line-height:28px"><font face="arial, sans-serif">Vulnerabilities are not slowing down. Our VulnDB team aggregated <a rel="noreferrer noopener" href="https://www.riskbasedsecurity.com/2020/12/09/new-research-2020-vulnerabilities-on-target-to-match-or-exceed-last-year/" target="_blank" style="box-sizing:inherit;background-color:transparent;color:rgb(60,80,255);text-decoration-line:none">17,129 vulnerabilities</a> disclosed during the first three quarters of 2020, marking a 4.6% gap when compared to last year. However, earlier in 2020 that gap was instead a sharp decline of 19.2%.</font></p><p style="box-sizing:inherit;margin-bottom:24px;color:rgb(116,118,131);margin-top:0px;line-height:28px"><font face="arial, sans-serif">One of the main factors responsible for the rapidly closing gap are the <a rel="noreferrer noopener" href="https://www.riskbasedsecurity.com/2020/01/08/2020-the-vulnerability-fujiwhara-effect-oracle-and-microsoft-collide/" target="_blank" style="box-sizing:inherit;background-color:transparent;color:rgb(60,80,255);text-decoration-line:none">Vulnerability Fujiwhara</a> events and increasing Patch Tuesday releases. With the deluge of vulnerabilities hitting vulnerability management teams, it can be hard to keep up. What can organizations do?</font></p><h3 style="box-sizing:inherit;clear:both;margin:0px 0px 8px;color:rgb(0,0,0);line-height:36px"><font size="2" face="arial, sans-serif">Show Notes</font></h3><p style="box-sizing:inherit;margin-bottom:24px;color:rgb(116,118,131);margin-top:0px;line-height:28px"><font face="arial, sans-serif"><span style="box-sizing:inherit;font-weight:bolder">0:15</span> – Speaker Introduction <br style="box-sizing:inherit"><span style="box-sizing:inherit;font-weight:bolder">1:30</span> – Rate of vulnerability disclosures in 2020<br style="box-sizing:inherit"><span style="box-sizing:inherit;font-weight:bolder">2:54</span> – CVSS v3 and how it has been working out<br style="box-sizing:inherit"><span style="box-sizing:inherit;font-weight:bolder">4:03</span> – CVSS v2 vs. CVSS v3 and maintain both versions<br style="box-sizing:inherit"><span style="box-sizing:inherit;font-weight:bolder">5:16</span> – Development of CVSS v4<br style="box-sizing:inherit"><span style="box-sizing:inherit;font-weight:bolder">5:38</span> – SSVC and what’s on the horizon<br style="box-sizing:inherit"><span style="box-sizing:inherit;font-weight:bolder">16:12</span> – Why vulnerability prioritization is so critical<br style="box-sizing:inherit"><span style="box-sizing:inherit;font-weight:bolder">21:17</span> – “Is it 0-day or 0-care”: thoughts from DEF CON 19 Panel<br style="box-sizing:inherit"><span style="box-sizing:inherit;font-weight:bolder">25:52</span> – New FIRST special interest group (SIG): Exploit Prediction Scoring System (EPSS)<br style="box-sizing:inherit"><span style="box-sizing:inherit;font-weight:bolder">30:38</span> – Predicting vulnerabilities<br style="box-sizing:inherit"><span style="box-sizing:inherit;font-weight:bolder">33:50</span> – Advice for companies starting to mature their vulnerability management programs<br style="box-sizing:inherit"><span style="box-sizing:inherit;font-weight:bolder">37:22</span> – Reactions to testimony regarding complex cybersecurity vulnerabilities before the U.S. Senate Committee on Commerce, Science, and Transportation July 11, 2018<br style="box-sizing:inherit"><span style="box-sizing:inherit;font-weight:bolder">40:59</span> – VINCE (Vulnerability Information and Coordination Environment): coordinated vulnerability disclosure web platform<br style="box-sizing:inherit"><span style="box-sizing:inherit;font-weight:bolder">44:30</span> – Closing thoughts and prediction on vulnerability disclosures in 2021</font></p><h4 style="box-sizing:inherit;clear:both;margin:0px 0px 8px;color:rgb(0,0,0);line-height:28px;letter-spacing:1px;text-transform:uppercase"><font face="arial, sans-serif">FURTHER READING:</font></h4><ul style="box-sizing:inherit;margin:24px 0px 1.5em 3em;list-style-position:initial"><li style="box-sizing:inherit;margin-bottom:8px;line-height:28px;color:rgb(116,118,131)"><font size="2" face="arial, sans-serif"><a rel="noreferrer noopener" href="https://insights.sei.cmu.edu/cert/2019/12/prioritizing-vulnerability-response-with-a-stakeholder-specific-vulnerability-categorization.html" target="_blank" style="box-sizing:inherit;background-color:transparent;color:rgb(60,80,255);text-decoration-line:none">Prioritizing Vulnerability Response with a Stakeholder-Specific Vulnerability Categorization</a> (SSVC)</font></li><li style="box-sizing:inherit;margin-bottom:8px;line-height:28px;color:rgb(116,118,131)"><a href="https://www.riskbasedsecurity.com/2017/01/05/cvssv3-newer-is-better-right/" target="_blank" rel="noreferrer noopener" style="box-sizing:inherit;background-color:transparent;color:rgb(60,80,255);text-decoration-line:none"><font size="2" face="arial, sans-serif">Risk Based Security’s CVSSv3 Article Series</font></a></li><li style="box-sizing:inherit;margin-bottom:8px;line-height:28px;color:rgb(116,118,131)"><a rel="noreferrer noopener" href="https://www.riskbasedsecurity.com/2020/01/08/2020-the-vulnerability-fujiwhara-effect-oracle-and-microsoft-collide/" target="_blank" style="box-sizing:inherit;background-color:transparent;color:rgb(60,80,255);text-decoration-line:none"><font size="2" face="arial, sans-serif">The Vulnerability Fujiwhara Effect</font></a></li><li style="box-sizing:inherit;margin-bottom:8px;line-height:28px;color:rgb(116,118,131)"><a rel="noreferrer noopener" href="https://www.youtube.com/watch?v=71Hb6pqIzXE&t=33s" target="_blank" style="box-sizing:inherit;background-color:transparent;color:rgb(60,80,255);text-decoration-line:none"><font size="2" face="arial, sans-serif">DEFCON 19: Panel: Is it 0-day or 0-care?</font></a></li><li style="box-sizing:inherit;margin-bottom:8px;line-height:28px;color:rgb(116,118,131)"><a rel="noreferrer noopener" href="https://www.first.org/epss/" target="_blank" style="box-sizing:inherit;background-color:transparent;color:rgb(60,80,255);text-decoration-line:none"><font size="2" face="arial, sans-serif">Exploit Predicting Scoring System</font></a></li><li style="box-sizing:inherit;margin-bottom:8px;line-height:28px;color:rgb(116,118,131)"><font size="2" face="arial, sans-serif"><a rel="noreferrer noopener" href="https://www.commerce.senate.gov/services/files/48b3bb9c-570e-4c82-b85e-1b1f017a19ab" target="_blank" style="box-sizing:inherit;background-color:transparent;color:rgb(60,80,255);text-decoration-line:none">Hearing on “Complex Cybersecurity Vulnerabilities: Lessons Learned from Spectre and Meltdown” Written Testimony of Art Manion</a> </font></li><li style="box-sizing:inherit;margin-bottom:8px;line-height:28px;color:rgb(116,118,131)"><font size="2" face="arial, sans-serif"><a rel="noreferrer noopener" href="https://www.kb.cert.org/vince/" target="_blank" style="box-sizing:inherit;background-color:transparent;color:rgb(60,80,255);text-decoration-line:none">Software Engineering Institute  Vulnerability Information and Coordination Environment</a> (VINCE)</font></li></ul><h3 style="box-sizing:inherit;clear:both;margin:0px 0px 8px;color:rgb(0,0,0);line-height:36px"><font size="2" face="arial, sans-serif">The Right Security</font></h3><p style="box-sizing:inherit;margin-bottom:24px;color:rgb(116,118,131);margin-top:0px;line-height:28px"><font face="arial, sans-serif">This is the latest in our video series The Right Security, in which we talk with leaders and veterans in the security industry, tackling the biggest issues impacting organizations today.</font></p><p style="box-sizing:inherit;margin-bottom:24px;color:rgb(116,118,131);margin-top:0px;line-height:28px"><font face="arial, sans-serif">Check out <a href="https://www.youtube.com/playlist?list=PLkV2qhiMyRKspi14k6qALEGirECTVRHp9" target="_blank" rel="noreferrer noopener" style="box-sizing:inherit;background-color:transparent;color:rgb(60,80,255);text-decoration-line:none">The Right Security series</a> on YouTube, and subscribe to the <a href="https://www.youtube.com/user/riskbased" target="_blank" rel="noreferrer noopener" style="box-sizing:inherit;background-color:transparent;color:rgb(60,80,255);text-decoration-line:none">Risk Based Security channel</a> to see new episodes in your feed.</font></p></div></div><div class="gmail-interior__sidebar" style="box-sizing:inherit;padding-top:48px;padding-left:48px;padding-right:48px;min-height:800px;border-left:1px solid rgb(218,220,229);color:rgb(64,64,64);font-family:"Open Sans",sans-serif;font-size:16px"><br class="gmail-Apple-interchange-newline"></div></div></div>