Vulnerability Management
In-depth guides and analysis on vulnerability management from the Safeguard engineering team.
133 articles
Continuous vulnerability management: the discovery-to-verification lifecycle
CISA's new BOD 26-04 gives federal agencies as little as 3 days to remediate the highest-risk flaws — a preview of the SLA pressure every engineering org now faces.
Inside CVE-2023-46233: How crypto-js Shipped a 1.3-Million-Times-Weaker Key Derivation
crypto-js versions before 4.2.0 defaulted PBKDF2 to SHA1 with a single iteration — NVD calls it 1,300,000 times weaker than modern standards. Here's the fix.
The CUPS RCE Chain: A Technical Breakdown of CVE-2024-47176
Four medium-severity CUPS bugs chained into unauthenticated RCE on UDP/631 — a masterclass in why CVSS scores per-CVE miss the real risk of a vulnerability chain.
Inside CVE-2023-38545: the libcurl SOCKS5 heap overflow
A single off-by-length check in curl's SOCKS5 handshake, live for over three years across libcurl 7.69.0–8.3.x, earned a 9.8 CVSS score and a CWE-787 out-of-bounds write.
CVSS 4.0 vs. 3.1: what actually changed, and why your priority list should too
CVSS 4.0 killed the Scope metric, added Attack Requirements, and split scoring into CVSS-B/BT/BE/BTE labels — here's what that means for triage.
Exploitability vs. breakability: a practical rubric for vulnerability triage
CVSS says a flaw could be bad. CISA's KEV catalog, now past 1,300 entries, says one actually was exploited. Most teams still triage as if the two are the same.
HTTP/2 CONTINUATION Flood: Inside CVE-2024-27316 and the Frame-Based DoS Class
A single TCP connection with no END_HEADERS flag was enough to crash major HTTP/2 servers — worse than Rapid Reset, and it took the industry a decade to check for it.
HTTP/2 Rapid Reset: inside CVE-2023-44487
A single HTTP/2 feature let attackers hit 398 million requests per second. Here's how Rapid Reset (CVE-2023-44487) broke nearly every major web server at once.
Log4Shell and Spring4Shell, years later: why the same bug keeps coming back
CVE-2021-44228 scored a perfect CVSS 10.0 and hit CISA's Known Exploited Vulnerabilities list the day it was published — the root cause hasn't gone away.
The 10 most common code-level vulnerability classes, ranked by real-world data
MITRE's 2025 CWE Top 25 scored 39,080 CVEs — cross-site scripting still ranks #1, but Missing Authorization jumped five spots. Here's how to prevent each class.
NVD's enrichment backlog and how to build a multi-source vuln database strategy
NIST enriched 42,000 CVEs in 2025 — 45% more than any prior year — and still fell behind. On April 15, 2026, it stopped trying to enrich everything.
What PHP's use-after-free bugs teach us about dynamic-runtime memory safety
Check Point disclosed three PHP 7 unserialize zero-days in 2016 alone. A decade of PHP use-after-free CVEs shows memory-safety risk doesn't end at the C/C++ boundary.