| Website | https://jerrygamblin.com |
| RogoLabs | https://rogolabs.net |
Launching LycosAI today.
The wilderness is encroaching. We are holding the line.
Deploying autonomous wolf packs at prefecture scale to secure the rural perimeter where legacy systems have failed.
lycosai.com
April 2026 CVE Stats:
🚨 5,820 New CVEs (+44% YoY)
📊 175/day avg
📈 YTD: 20,991 (+31% YoY)
🔥 Median CVSS: 7.0
Top CWEs:
1️⃣ XSS (588)
2️⃣ Path Traversal (238)
3️⃣ Missing Auth (235)
4️⃣ SQLi (218)
Version 2 of my CVE Intelligence TA for
Splunk is live on Splunkbase.
I’ve added EPSS probability, CISA KEV status, and SSVC data to the baseline for 327k+ vulnerabilities.
No API keys, zero-config, and pre-joined lookups for faster triage.
Full details and download: https://jerrygamblin.com/2026/04/18/prioritizing-what-matters-bringing-cve-intelligence-to-splunk/
When the NVD and GitHub disagree on a CVSS score, who do you trust?
I’m at #VulnCon and built Vuln Anarchy to visualize the scoring gap. This chart shows nearly 1,500 instances where the math doesn't align.
Live Data: https://rogolabs.github.io/vuln-anarchy/
Repo: https://github.com/RogoLabs/vuln-anarchy
Paid $25 on eBay for a 1943 cryptography book. It arrived signed by LTC George R. Eckman, the Executive Officer of the Alsos Mission, the WWII task force that hunted Nazi nuclear scientists across Europe.
It's going to the U.S. Army Intelligence Hall of Fame. Some books belong in archives. 🔐
I heard you like CVEs, so I reported CVEs in your CVE filing software.
I reported and fixed CVE-2026-35466 & CVE-2026-35467 in CVEClient.
March 2026 was a brutal month for vulnerabilities. 🛡️
Here is the damage:
• 6,246 new CVEs (+55.7% Over Last March)
• 169 new vulns per day 🤯
• 7.1 median CVSS severity (High)
The Top 3 Culprits:
🥇 XSS (730)
🥈 SQLi (325)
🥉 Missing Auth (292)
2026 is already up 27% YoY.
The "Zero Day Clock" is a Masterclass in Bad Data Science.
I've heard this clock mentioned multiple times at #RSAC this week. It predicts an "exponential collapse" of the time-to-exploit (TTE) toward zero. It makes for a scary keynote slide, but the math is fundamentally broken.
The model suffers from:
Right-Censoring: It ignores that slow exploits for 2025 haven't happened yet, artificially forcing the "average" to zero.
Selection Bias: It only tracks the fastest 1.5% of vulnerabilities and ignores the "long tail."
Administrative Lag: It mistakes the growing NVD backlog for "attacker velocity."
We don’t need hyperbolic "scare-ware" statistics to justify our urgency. Defense is hard enough without distorting the data.
I’ve written a full technical audit on why this methodology fails a basic statistical peer review:
Technical Breakdown: https://gist.github.com/jgamblin/91f7843b62069616c951f32957c921cd
#RSAC #RSAC2026 #Infosec #CyberSecurity #DataScience #VulnerabilityManagement
I just read this essay by Kenneth Reitz, and it’s a powerful, necessary look at the "hidden human cost" of the tech industry.
Kenneth pulls back the curtain on how Open Source can build a career while simultaneously draining a person's spirit. He captures the "identity fusion" that happens when we tie our entire self-worth to our code.
It’s a sentiment that has hit home for me in the past. At times, I've had to wrestle with that nagging internal voice that says, "I am only as valuable as my last project." It’s an exhausting mindset to break—the feeling that your worth has an expiration date unless you’re constantly shipping something new. Reading this was a vital reminder that we are more than our output.
A final note: Kenneth’s story reminds us that these pressures can sometimes reach an extreme. If you ever find yourself struggling with these feelings to the point of feeling unmanageable, seeking professional help is a sign of strength. We are humans first, developers second.
RE: https://social.circl.lu/@gcve/116210729801306563
GCVE now allows publishing.
