Hello, welcome to the Friday, May 19th, 2017 edition of the Sands and Storm Center's Stormcast.

My name is Johannes Ulrich, and I'm recording from San Diego, California.

Last weekend showed how important it is to keep your systems patched,

but the challenge is to stay oppressed of what patches are available

for your organization's systems. Xavier put together a little Python script to help you with

just that. The script will monitor the CVE database for vulnerabilities that match your selected profile, so you can select

operating systems and software that you are interested in, and then it will send you an email

whenever it finds a new vulnerability.

It's pretty easy to use, and in particular, for smaller organizations, maybe a nice supplement to regular vulnerability scans.

One Agrii, of course, incited a discussion about the duty of government organizations and other researchers to disclose vulnerabilities.

They discover.

One argument that is sometimes used is that if one entity is able to discover the vulnerability,

then others will probably do so as well.

As a result, these other entities may as well then use this vulnerability against you.

So it's in your best interest to disclose them to the vendor and have a patch available for your own networks as well.

And what happens as more and more researchers, of course, discover certain vulnerabilities.

The risk and the probability of these vulnerabilities being disclosed, of course, increases.

So far, there wasn't really any good data about sort of the rediscovery rate of vulnerabilities,

but in March, a paper by Trey Herr actually looked into

this question a little bit more systematic. He had a number of different data sets to look at.

One of the more recent ones was a database of Android vulnerabilities discovered between 2015 and 2016.

And essentially he looked at how many of these vulnerabilities were reported multiple times.

...