Steve Christey Coley

@sushidude
231 Followers
297 Following
337 Posts
co-founder of CVE and CWE; responsible for "responsible disclosure" phrase for which I apologize; partially responsible for CVSSv2 for which I don't; medical device cybersecurity; diversity/equity/inclusion advocate.
Steve Christey ColeyAug 20, 2025
CWE ProgramAug 20, 2025

The #CWE “2025 Most Important Hardware Weaknesses (MIHW)” has arrived!

See what’s included, check out the new methodology, and more!

#hardware #hw https://cwe.mitre.org/topHW/

Steve Christey ColeyApr 23, 2025
for those who missed it (like me), SQL injection is over 25 years old and predates CVE, the first writeup having been published on December 25, 1998, by Rain Forest Puppy in Phrack. If you're interested in how this was tracker, I bet there are some fun non-standard descriptions in the early CVEs.
Steve Christey ColeyApr 23, 2025
Björkus "No time_t to Die" DorkusApr 23, 2025

Undefined Behavior enjoyers blown tf out:

https://web.ist.utl.pt/nuno.lopes/pubs.php?id=ub-pldi25

Exploiting Undefined Behavior in C/C++ Programs for Optimization: A Study on the Performance Impact

Steve Christey ColeyApr 18, 2025
Statement.
Steve Christey ColeyMar 4, 2025
CVE ProgramMar 4, 2025

“CVE Data Usage and Satisfaction Survey”
https://forms.office.com/g/hx168RPctg

Requesting your feedback!
* CVE consumers
* Defenders

#cve #vulnerability #vulnerabilitymanagement

Microsoft Forms

Steve Christey ColeyMar 3, 2025
Konstantin Mar 3, 2025

I'm excited to share CVE Crowd's Top 5 Vulnerabilities from February 25!

These five stood out among the 352 CVEs actively discussed across the Fediverse.

For each CVE, I’ve included a standout post from the community.

Enjoy exploring! 👇

#Pentesting #AppSec #InfoSec #CyberSecurity #BugBounty #Hacking #CVE #CveCrowd

Steve Christey ColeyMar 2, 2025
SwiftOnSecurityMar 1, 2025
This is a story about CISA.
About what it meant and means to someone in the trenches. Years ago, and now.
Show threadSteve Christey ColeyFeb 7, 2025
I also distinctly remember spending a lot of effort in modeling "vuln complexity" with Carsten Eiram and his colleagues (maybe during the Risk Based Security days?), but if I recall correctly, we proposed a talk to one of the major Vegas cons, but it got rejected, and I didn't pursue it further. Not that I'm bitter, but it seemed worth mentioning to anybody else who's felt the sting of infosec rejection ;-) 7/7.
Show threadSteve Christey ColeyFeb 7, 2025
Finally: as with all cited ideas in the cyberz, the "Unforgivable Vulnerabilities" paper did not occur in a vacuum. No doubt I missed, dismissed, or misinterpeted many other ideas and publications at the time or earlier, but: for other work that bears revisiting, see David Litchfield's "Vulnerability Assessment Assurance Levels (VAAL)" proposal from 2006 (https://seclists.org/fulldisclosure/2006/May/304). 6/x
Full Disclosure: How secure is software X?

Show threadSteve Christey ColeyFeb 7, 2025
For me, one of the coolest aspects of the NCSC paper is its use of CWE's classification scheme for broad types of mitigations. I'd hoped to see more of this over the years, or even some kind of criticism, but I'm glad to see it's being used now. There's still plenty of work to do in mitigation classification and improving coverage across the entire CWE corpus (... and also D3FEND etc.), but personally, I'm really happy to see the growing interest in software security on a macro level. 5/x