SEI Blog | Security Vulnerabilitieshttp://sei.cmu.edu/feeds/topic/security-vulnerabilities/atom/?utm_source=blog&utm_medium=rss2026-01-28T00:00:00-05:00Updates on changes and additions to the SEI Blog for posts matching Security VulnerabilitiesFrom Concept to Practice: How SSVC Has Evolved to Make Adoption Possible2026-01-28T00:00:00-05:002026-01-28T00:00:00-05:00Renae Metcalf, Allen Householder, Vijay Sarvepallihttps://www.sei.cmu.edu/blog/from-concept-to-practice-how-ssvc-has-evolved-to-make-adoption-possible/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updatesThis post traces the milestones of the Stakeholder Specific Vulnerability Categorization and invites the community to participate, contribute, and benefit from the continued maturation of SSVC.What’s New in SSVC: Build, Explore, and Evolve Your Decision Models2025-10-13T00:00:00-04:002025-10-13T00:00:00-04:00Bon Jin Koo, Renae Metcalf, Vijay Sarvepalli, Allen Householderhttps://www.sei.cmu.edu/blog/whats-new-in-ssvc-build-explore-and-evolve-your-decision-models/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updatesRecent updates to the Stakeholder-Specific Vulnerability Categorization (SSVC) framework help different stakeholders to prioritize vulnerabilities according to their distinct risk appetites.The Threat of Deprecated BGP Attributes2024-06-03T00:00:00-04:002024-06-03T00:00:00-04:00Leigh Metcalf, Timur Snokehttps://www.sei.cmu.edu/blog/the-threat-of-deprecated-bgp-attributes/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updatesThis post examines how a small issue with Border Gateway Protocol routing, a deprecated path attribute, can cause a major interruption to Internet traffic.UEFI: 5 Recommendations for Securing and Restoring Trust2023-06-26T00:00:00-04:002023-06-26T00:00:00-04:00Vijay Sarvepallihttps://www.sei.cmu.edu/blog/uefi-5-recommendations-for-securing-restoring-trust/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updatesThis blog post expands on concerns brought to light from recent UEFI attacks, such as BlackLotus, and highlights 5 recommendations to secure and restore trust in the UEFI ecosystem.Vultron: A Protocol for Coordinated Vulnerability Disclosure2022-09-26T00:00:00-04:002022-09-26T00:00:00-04:00Allen Householderhttps://www.sei.cmu.edu/blog/vultron-a-protocol-for-coordinated-vulnerability-disclosure/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updatesThis post introduces Vultron, a protocol for multi-party coordinated vulnerability disclosure (MPCVD).UEFI – Terra Firma for Attackers2022-08-01T00:00:00-04:002022-08-01T00:00:00-04:00Vijay Sarvepallihttps://www.sei.cmu.edu/blog/uefi-terra-firma-for-attackers/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updatesThis blog post focuses on how the vulnerabilities in firmware popularized by the Uniform Extensible Firmware Interface create a lucrative target for high-profile attackers.Probably Don’t Rely on EPSS Yet2022-06-06T00:00:00-04:002022-06-06T00:00:00-04:00Jonathan Springhttps://www.sei.cmu.edu/blog/probably-dont-rely-on-epss-yet/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updatesThis post evaluates the pros and cons of the Exploit Prediction Scoring System (EPSS), a data-driven model designed to estimate the probability that software vulnerabilities will be exploited in practice.The Latest Work from the SEI: Coordinated Vulnerability Disclosure, Cybersecurity Research, Cyber Risk and Resilience, and the Importance of Fostering Diversity in Software Engineering2021-09-06T00:00:00-04:002021-09-06T00:00:00-04:00Douglas Schmidthttps://www.sei.cmu.edu/blog/the-latest-work-from-the-sei-coordinated-vulnerability-disclosure-cybersecurity-research-cyber-risk-and-resilience-and-the-importance-of-fostering-diversity-in-software-engineering/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updatesThis post highlights the latest work from the SEI in coordinated vulnerability disclosure, cyber risk and resilience management, automation, and the science of cybersecurity.Vulnerabilities: Everybody’s Got One!2021-06-16T00:00:00-04:002021-06-16T00:00:00-04:00Leigh Metcalfhttps://www.sei.cmu.edu/blog/vulnerabilities-everybodys-got-one/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updatesIn this post, Leigh Metcalf describes how she pulled data from the malvuln project to explore recent vulnerabilities in both malware and non-malware to study the differences.CERT/CC Comments on Standards and Guidelines to Enhance Software Supply Chain Security2021-06-01T00:00:00-04:002021-06-01T00:00:00-04:00Jonathan Springhttps://www.sei.cmu.edu/blog/certcc-comments-on-standards-and-guidelines-to-enhance-software-supply-chain-security/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updatesThis SEI Blog post shares insights from the CERT Coordination Center (CERT/CC) on proposed software supply chain security standards and guidelines.Cat and Mouse in the Age of .NET2020-11-19T00:00:00-05:002020-11-19T00:00:00-05:00Brandon Marzikhttps://www.sei.cmu.edu/blog/cat-and-mouse-age-net/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updatesThis SEI Blog post explores evolving .NET threat landscape with challenges faced by red and blue teams and suggests ways to stay ahead of attackers.Adversarial ML Threat Matrix: Adversarial Tactics, Techniques, and Common Knowledge of Machine Learning2020-10-22T00:00:00-04:002020-10-22T00:00:00-04:00Jonathan Springhttps://www.sei.cmu.edu/blog/adversarial-ml-threat-matrix-adversarial-tactics-techniques-and-common-knowledge-of-machine-learning/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updatesThis SEI Blog post introduces the Adversarial ML Threat Matrix, a list of tactics to exploit machine learning models, and guidance on defense against them.Three Places to Start in Defending Against Ransomware2020-10-12T00:00:00-04:002020-10-12T00:00:00-04:00Timothy Shimeallhttps://www.sei.cmu.edu/blog/three-places-to-start-in-defending-against-ransomware/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updatesLearn three initial efforts for defending against ransomware in this informative SEI Blog post.Ransomware as a Service (RaaS) Threats2020-10-05T00:00:00-04:002020-10-05T00:00:00-04:00Marisa Midlerhttps://www.sei.cmu.edu/blog/ransomware-as-a-service-raas-threats/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updatesThis blog post explores the economics behind why ransomware remains a top tool for cybercrime and presents the current active ransomware variants that utilize ransomware as a service (RaaS), a change in the ransomware business model that could lead to a significant upswing in ransomware activity.Snake Ransomware Analysis Updates2020-03-23T00:00:00-04:002020-03-23T00:00:00-04:00Kyle O'Mearahttps://www.sei.cmu.edu/blog/snake-ransomware-analysis-updates/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updatesIn January 2020, Sentinel Labs published two reports on Snake (also known as Ekans) ransomware.[1][2] The Snake ransomware gained attention due to its ability to terminate specific industrial control system (ICS) processes....Bridging the Gap Between Research and Practice2020-03-23T00:00:00-04:002020-03-23T00:00:00-04:00Leigh Metcalfhttps://www.sei.cmu.edu/blog/bridging-the-gap-between-research-and-practice/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updatesA fundamental goal for a federally funded research and development center (FFRDC) is to bridge the gap between research and practice for government customers....Security Automation Begins at the Source Code2020-03-11T00:00:00-04:002020-03-11T00:00:00-04:00Vijay Sarvepallihttps://www.sei.cmu.edu/blog/security-automation-begins-at-the-source-code/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updatesHi, this is Vijay Sarvepalli, Information Security Architect in the CERT Division. On what seemed like a normal day at our vulnerability coordination center, one of my colleagues asked me....Comments on NIST IR 8269: A Taxonomy and Terminology of Adversarial Machine Learning2020-02-13T00:00:00-05:002020-02-13T00:00:00-05:00Jonathan Springhttps://www.sei.cmu.edu/blog/comments-on-nist-ir-8269-a-taxonomy-and-terminology-of-adversarial-machine-learning/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updatesThe U.S. National Institute of Standards and Technology (NIST) recently held a public comment period on their draft report on proposed taxonomy and terminology of Adversarial Machine Learning (AML)....Prioritizing Vulnerability Response with a Stakeholder-Specific Vulnerability Categorization2019-12-05T00:00:00-05:002019-12-05T00:00:00-05:00Allen Householderhttps://www.sei.cmu.edu/blog/prioritizing-vulnerability-response-with-a-stakeholder-specific-vulnerability-categorization/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updatesWe've just released a follow-up paper in our research agenda about prioritizing actions during vulnerability management, Prioritizing Vulnerability Response: A Stakeholder-Specific Vulnerability Categorization....Machine Learning in Cybersecurity2019-12-02T00:00:00-05:002019-12-02T00:00:00-05:00Jonathan Springhttps://www.sei.cmu.edu/blog/machine-learning-cybersecurity-2019/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updatesOur technical report provides an overview of the relevant parts of an ML lifecycle--selecting the right problem, the right data, and the right math and summarizing the model output for consumption--as well as questions that relate to those areas of focus.