Down the Security Rabbithole Podcast (DtSR) DtSR Episode 680 - Debating Patching and Vulnerability Scoring
11 snips
Nov 18, 2025 
In this discussion, Brian 'Jericho' Martin, a seasoned expert in vulnerability intelligence and founder of attrition.org, dives into the complexities of vulnerability scoring and patching. He passionately debates the shortcomings of CVSS and critiques the CVE process, highlighting why many vulnerabilities remain unnumbered. Brian proposes a new prioritization model for addressing threats and stresses the need for better vendor responsiveness. With a nod to the messy realities of existing systems, he contemplates whether meaningful industry improvements are possible.
AI Snips
Chapters
Transcript
Episode notes
Patching Everything Is Impossible
- Trying to patch everything is impossible; teams must triage what truly matters.
- Brian Martin argues vulnerability intelligence must be proactive, not reactive to CVE alone.
CVEs Miss Real Exploits
- Many exploited vulnerabilities never receive CVE IDs because CVE processes miss disclosures.
- Brian highlights gaps: authors not notifying MITRE and vendors fixing without CVE engagement.
Why Multiple CVSS Versions Exist
- Multiple CVSS versions exist because real-world attack scenarios evolved, not vanity.
- Different versions improved needed metrics but created conflicting scores and confusion.