| Website | caitlincondon.com |
It's a day ending in "y", which means I'm #hiring senior exploit developers around Cheltenham, UK. If you're based near Cheltenham and love RCE exploits, hit me up!
[Must be within reasonable distance of Cheltenham. No relocation, no sponsorship, sorry!]
One of our focus areas at VulnCheck is uncovering hidden risk that others may be overlooking. Our CVE Numbering Authority (CNA) team has assigned hundreds of CVEs to vulnerabilities without identifiers this year, coordinating with the research community, dozens of other CNAs, and global organizations that produce software and identify exploitation.
Our research team wrote about closing CVE coverage gaps, with particular emphasis on public vulnerabilities (many of them older) with known exploit code and/or exploitation evidence — but *without* CVE identifiers. We've seen plenty of times that if a vuln doesn't have a CVE, it's often invisible to defenders...until it's exploited. I still sometimes hear that "older vulnerabilities aren't relevant," but adversaries and exploit developers pretty clearly disagree.
*blinking guy meme intensifies* (both stories c/o @riskybiz newsletter)
I cannot imagine allowing attackers to keep stolen funds is a deterrent.