A few weeks ago I had a conversation with Josh Bressers about the The Global Vulnerability Intelligence Platform and what we're doing there. It's now available on YouTube and your favourite podcast channels!
https://opensourcesecurity.io/2026/2026-02-GVIP-olle-johansson/
Join our community and contribute to the work! Register today at https://www.gvip-project.org/community/
Want to help working on a future global vulnerability intelligence platform with us? Join our community meetings!
Everyone that manages security reports for Open Source projects have been getting a higher workload because of AI. Both real reports and just slop - reports including vulnerabilities in code that doesn't exist. For some, this is becoming a denial of service attack, with developers having to spend valuable, and in some cases unpaid, time to sort out what's real and may be a vulnerability.
Jarek Potiuk, member of The Apache Software Foundation will talk about this on the GVIP Summit Wednesday Jan 28th in Brussels. We still have a few seats available - but hurry up to register!
Bloody great. NVD is behind CloudFlare and it's now blocking HTTP requests from GitHub Actions.
https://github.com/postmodern/nvd-json_feeds.rb/actions/runs/20915134462/job/60086722826
https://github.com/postmodern/nvd-json_feeds.rb/issues/2
Join us for the GVIP Summit - the pre-FOSDEM conference on vulnerability management. Supported by the @sovtechfund
Save the date! A full day of vulnerabilities. Wednesday Jan 28th 26 in Brussels, Belgium. More details to follow. DM me if you want to speak! #CVE #NVD #CVSS #EUVD #OSV
After 20 years in cybersecurity, I’m genuinely frustrated.
Today, a CIO(!!) of a 400 employee company told me that creating SBOMs is basically the same as “creating a directory of all vulnerabilities in a company,” and comparing it even to “a phone book of elderly people who could be called and scammed.”
I was shocked and speechless, on so many levels.
What frustrates me most (not the missing concept of SBOMs) is that in 2025 there are still IT professionals - even IT leaders - out there who believe that OSV, NVD, vuln dbs/threat intelligence, responsible disclosure and (with it) the entire concept of SBOMs are “evil,” enable crime, and should be outlawed.
He was not trolling. He was not joking. Im not joking.
Just a quick reminder: that guy is in charge!
What… the… actual… fuck?
#cio #sbom #osv #nvd #threatintel #threatintelligence #cybersecurity
NVD Delays Leave Defenders in the Dark — Early Visibility is Key
Tenable’s recent analysis shows a worrying pattern in vulnerability disclosure timing:
- 63,862 CVEs from 2024–2025
- 56% of PoCs released within 7 days
- NVD lagging by ~15 days
- Exploitation confirmed in as little as 5 days
This gap between CVE assignment, PoC publication, and NVD visibility creates exploitable blind spots for enterprises relying on traditional patch cycles.
💬 Security leaders - how do you bridge these gaps? Do you trust vendor advisories, exploit feeds, or telemetry-driven signals more?
👍 Like and follow @technadu for continuous coverage of emerging vulnerability management insights.
#InfoSec #CyberSecurity #VulnerabilityManagement #ThreatIntel #NVD #Exploit #RiskIntel #Tenable #CVEs #CyberDefense #ZeroDay #CVETracking #VulnDisclosure #TechNadu
Europe's new EUVD aims to reshape the vulnerability database ecosystem, bringing resilience and openness to a field long dominated by the US. https://jpmellojr.blogspot.com/2025/07/europes-euvd-could-shake-up.html #EUVD #NVD #VulnerabilityDatabase #AppSec
EUROSCOPE — FAUT-IL UNE BASE EUROPÉENNE DES FAILLES ?
Face à l’essoufflement du NVD américain, l’Europe lance l’EUVD. L’inventaire des vulnérabilités devient enjeu stratégique. Le silence d’une base peut faire grandir le risque.
https://whatsapp.com/channel/0029VaE5Wl8Dp2Q7vJyg0G30
#EuroScope #EUVD #ENISA #CVE #NVD #CyberSécurité #AutonomieStratégique
The global vulnerability intelligence platform project is moving forward. Many organisations are joining the efforts.
Our first open community meeting is Tuesday May 20 at 16:00 Central european time. Ping me for a zoom invite or join the #cve-wg slack channel in OWASP slack.
As #US #vulnerability-tracking falters, #EU enters with its own #security bug database
The European Vulnerability Database (#EUVD) is now fully operational, offering a streamlined platform to monitor critical and actively exploited security flaws amid the US struggles with budget cuts, delayed disclosures, and confusion around the future of its own tracking systems. The EUVD is similar to the US government's National Vulnerability Database (#NVD).
https://www.theregister.com/2025/05/13/eu_security_bug_database/ #CISA
For a while, I've been collecting thoughts on a global vulnerability management platform, funded by many sources and governments. This Monday, we had a webinar in Eclipse ORCWG and it's now available on YouTube. If you want to join the work, there's a mailing list on google groups "cve@owasp.org" as well as a work group in OpenSSF - Vulnerability disclosures wg.
