SECURITY
Tom's House of Awesome CVEs
Did you see that the U.S. is no longer funding the national security CVE program?
I’m glad to see they’re doing away with the “neutral third party” and going with a free market solution.
I’m starting my own CVE service. Here’s my price-list:
- Regular CVE’s: $1,000 evaluation fee
- CVE’s where you get to pick the number: $10,000 (though certain numbers will be sold at auction… how much would you pay to be responsible for CVE-69?)
- Special packages:
- $100,000/year and your company’s products will get a lower severity.
- $10,000,000/year and all CVEs related to your product will be rejected as irreproducible.
I accept Bitcoin, Venmo, and cash in unmarked envelopes slid under my door.
read moreReduce the maximum validity period for TLS/SSL server certificates
Question: What would be the impact on your organization if the CA/Browser Forum approves a ballot reducing the maximum validity period for SSL/TLS server certificates from the current 825 days (27 months) at present to 397 days (13 months), effective for new certificates issued on or after March 1, 2020? (Existing certificates will remain valid for their full term).
read moreResponse to: Our Security Auditor Is an Idiot
Some thoughts on the SO question about the idiot security consultant that demanded a list of everyone’s plaintext password plus some rather impossible things.
read more
