Vulnerability Management - Resources

Vulnerability Lifecycle

Vulnerability Disclosure Policy and A walk through Project Zero metrics (how vendors reacted to vulnerability disclosure by Google Project Zero).
Microsoft Security Update Guide List of all vulnerabilities and patches of Microsoft product. By suitable usage of filters in "Deployments", one can see how each "Patch Tuesday" looks like (e.g., January 2024).
PatchaPalooza A comprehensive tool that provides an insightful analysis of Microsoft's monthly security updates (sources on Github).

Zerodium ("WE PAY BIG BOUNTIES"). From their FAQ: "Zerodium customers are government institutions (mainly from Europe and North America) in need of advanced zero-day exploits and cybersecurity capabilities". Think a little about what this really means.
Crowdfense "Crowdfense customers are government institutions in need of advanced zero-day exploits and cyber security capabilities."
Zero Day Initiative (ZDI) buys software vulnerabilities from independent security researchers, and then discloses these vulnerabilities to their original vendors for patching before making such information public.
Pwn2Own a computer hacking contest aimed at exploiting widely used software and mobile devices with previously unknown vulnerabilities. Winners receive a cash prize (supported by ZDI).
Project Zero is a team of security researchers at Google who study zero-day vulnerabilities in the hardware and software systems that are depended upon by users around the world.

Zero Days, Thousands of Nights: The Life and Times of Zero-Day Vulnerabilities and Their Exploits This report provides findings from real-world zero-day vulnerability and exploit data.
0day "In the Wild" We're sharing our tracking spreadsheet for publicly known cases of detected zero-day exploits, in the hope that this can be a useful community resource (by Project Zero team at Google).
2022 0-day In-the-Wild Exploitation…so far by Project Zero team at Google.
With 0-days hitting Chrome, iOS, and dozens more this month, is no software safe? "The number of apps being patched for zero-day vulnerabilities has skyrocketed this month...One other thing to remember regarding zero-days: Most of us aren’t likely to be targeted by one. Exploits for this class of vulnerability often cost $1 million or more, and once they’re unleashed on the Internet, it’s generally only a matter of days until they become public knowledge and lose their value. That means zero-days are likely to be used only on a very small base of targets deemed to be high-value, such as government officials, dissidents, large companies, and holders of large amounts of cryptocurrency."

The Numbers Behind Log4j Vulnerability CVE-2021-44228 Twenty-four hours after the initial outbreak our sensors recorded almost 200,000 attempts of attack across the globe.
Approximately 2000 Citrix NetScalers backdoored in mass-exploitation campaign An adversary appears to have exploited CVE-2023-3519 in an automated fashion, placing webshells on vulnerable NetScalers to gain persistent access. The adversary can execute arbitrary commands with this webshell, even when a NetScaler is patched and/or rebooted. At the time of this exploitation campaign, 31127 NetScalers were vulnerable. One month after, 1828 NetScalers remain backdoored even though 1248 of them are patched.
CVE-2023-20198 – Cisco IOS-XE ZeroDay (Censys) On October 16, Cisco released an advisory regarding a critical zero day privilege escalation vulnerability in their IOS XE Web UI software. On October 18th, we have seen an increase in the number of infections from 34,140 to 41,983 hosts.

This topic is no longer part of this course (it is part of "Cybersecurity Lab")

Exploit Prediction Scoring System (EPSS) is a data-driven effort for estimating the likelihood (probability) that a software vulnerability will be exploited in the wild.
Enhancing Vulnerability Prioritization: Data-Driven Exploit Predictions with Community-Driven Insights A scientific paper describing how version 3 was constructed (March 2023). An extremely interesting and useful reading, as well as a brilliant example of how machine learning can be used in practical settings. All the numbers related to Efficiency vs Coverage for exploitation prediction in the lectures have been taken from this work.

Prioritization to Prediction Volume 8: Measuring and Minimizing Exploitability (Jan. 2022) We create a simulation that seeks to minimize organizational exploitability under varying scenarios combining vulnerability prioritization strategies and remediation capacity.
Prioritization to Prediction, Vol. 9: Role of the CISA-KEV catalog in risk-based vulnerability management (August 2023) Actionable recommendations on integrating the CISA-KEV into risk-based vulnerability management programs.
CISA - Known Exploited Vulnerabilities Catalog (KEV). For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild. The criteria behind this catalog are described in Reducing the Significant Risk of Known Exploited Vulnerabilities.
cvecrowd A nice experiment: it summarizes ongoing discussions on Mastodon about the most recent CVEs (a sort of threat intelligence).

Improving Asset Visibility and Vulnerability Detection on Federal Networks Cybersecurity and Infrastructure Security Agency (CISA) Binding Operational Directive.
Implementing asset management for good cyber security by the National Cyber Security Centre (NCSC) UK.
BOD 26-02: Mitigating Risk From End-of-Support Edge Devices Binding directive by CISA for EOL (end of life) devices.

Software Bill of Materials (SBOM) A “software bill of materials” (SBOM) has emerged as a key building block in software security and software supply chain risk management. A SBOM is a nested inventory, a list of ingredients that make up software components.