The "Zero Day Clock" is a Masterclass in Bad Data Science.

I've heard this clock mentioned multiple times at #RSAC this week. It predicts an "exponential collapse" of the time-to-exploit (TTE) toward zero. It makes for a scary keynote slide, but the math is fundamentally broken.

The model suffers from:

Right-Censoring: It ignores that slow exploits for 2025 haven't happened yet, artificially forcing the "average" to zero.

Selection Bias: It only tracks the fastest 1.5% of vulnerabilities and ignores the "long tail."

Administrative Lag: It mistakes the growing NVD backlog for "attacker velocity."

We don’t need hyperbolic "scare-ware" statistics to justify our urgency. Defense is hard enough without distorting the data.

I’ve written a full technical audit on why this methodology fails a basic statistical peer review:

Technical Breakdown: https://gist.github.com/jgamblin/91f7843b62069616c951f32957c921cd

#RSAC #RSAC2026 #Infosec #CyberSecurity #DataScience #VulnerabilityManagement

I just read this essay by Kenneth Reitz, and it’s a powerful, necessary look at the "hidden human cost" of the tech industry.

Kenneth pulls back the curtain on how Open Source can build a career while simultaneously draining a person's spirit. He captures the "identity fusion" that happens when we tie our entire self-worth to our code.

It’s a sentiment that has hit home for me in the past. At times, I've had to wrestle with that nagging internal voice that says, "I am only as valuable as my last project." It’s an exhausting mindset to break—the feeling that your worth has an expiration date unless you’re constantly shipping something new. Reading this was a vital reminder that we are more than our output.

A final note: Kenneth’s story reminds us that these pressures can sometimes reach an extreme. If you ever find yourself struggling with these feelings to the point of feeling unmanageable, seeking professional help is a sign of strength. We are humans first, developers second.

https://kennethreitz.org/essays/2026-03-18-open_source_gave_me_everything_until_i_had_nothing_left_to_give

RE: https://social.circl.lu/@gcve/116210729801306563

GCVE now allows publishing.

February 2026 CVE Growth Report:

YTD (February):
▸ 8,932 total CVEs (+12.4% vs 2025 YTD)
▸ 151 new vulnerabilities per day
▸ +982 more CVEs than 2025 through February

February alone:
▸ 4,619 CVEs (+25.7% vs February 2025)

The CVE Board January minutes read like a gossip mag for vuln geeks.

Good: The March "funding cliff" is a myth—the lights are staying on.

Bad: Mystery draft legislation wants to force "International Participation" & limit "Organizational Concentration."

Drama: The Board is already at 22 members with no term limits, but they just voted to interview #23.

Full gossip here: https://www.mail-archive.com/cve-editorial[email protected]/msg00314.html

Just wrapped up my talk at #BSidesGalway and officially launched VulnRadar!

I built this to show how any team can create a high-fidelity vulnerability intelligence capability for $0 in cloud spend. It’s about shifting from passive consumption to engineering autonomy.

The Highlights:

Serverless: Runs entirely on GitHub Actions with zero infrastructure overhead.

No APIs: Harvests directly from NVD, CVE List V5, and CISA KEV—no rate limits or auth headaches.

Contextual: Uses a simple watchlist.yaml to filter for the specific tech you actually run.

Actionable: Automatically creates GitHub Issues and triggers Slack/Discord alerts.

If you're here in Galway, let’s grab a coffee and talk shop! ☕

Code: https://github.com/RogoLabs/vulnradar

Slides: https://rogolabs.net/Talks/BSides-Galway-Open-Source-Intelligence.pdf

#CyberSecurity #InfoSec #OSINT #OpenSource #VulnerabilityManagement #RogoLabs #BSidesGalway

The @openclaw project has exploded this month. 🛡️

Since I've given it deep local access, I’m tracking its security in real-time.

📈 92 Advisories
🚨 55 High/Critical
🔄 Hourly V5 sync

Link: https://github.com/jgamblin/OpenClawCVEs/
Plot twist: I had OpenClaw build the tracker for me. 🤖

Vulnerability intel shouldn’t be a luxury.

Next week at @BSidesGalway, I’m launching VulnRadar:
✅ 100% Open Source
✅ Runs on free @github services
✅ NO API keys to manage

Good intel is a community necessity. Let’s make it the standard.

#BSidesGalway #CyberSecurity #OSS

Jan 2026 CVEs: 4,319.

While +1.0% YoY looks flat, it's 139 CVEs/day—nearly 7% HIGHER than 2025's average.

Finding CVEs that technically "don't exist" yet. 🕵️‍♂️

Ghost CVEs are live. A "Ghost CVE" is a vulnerability identifier that’s already popped up in the wild—think GitHub commits or security advisories—but is still listed as RESERVED or NOT_FOUND in official registries like NVD or MITRE.

It catches the threats that are already out there, even if the paperwork says they aren't. 📝💨

Admittedly, there are a lot more sources to add—this was just a quick weekend POV—but I plan on extending it soon.

Check out the latest ghost report here: https://github.com/RogoLabs/GhostCVEs/blob/main/reports/ghost_report.md

#InfoSec #ThreatIntel #OpenSource #GhostCVEs