Vulnerability Management
In-depth guides and analysis on vulnerability management from the Safeguard engineering team.
133 articles
Prioritizing vulnerabilities by real-world risk, not raw CVSS score
Kenna/Cyentia found just 2.6% of 2019's tracked CVEs were ever actively exploited — yet most teams still triage backlogs by CVSS score alone.
CVE-2022-1471: Inside the SnakeYaml Deserialization RCE
CVE-2022-1471 scored 9.8 CRITICAL under NIST's CVSS calculation — a single YAML tag could hand attackers remote code execution in any Java app parsing untrusted input.
How task-scheduler RCEs become cryptomining botnets
Two chained Apache Airflow CVEs and a Rundeck YAML deserialization bug show how scheduler tools turn one flaw into unauthenticated RCE and persistent mining.
Using EPSS scores for vulnerability remediation prioritization
EPSS predicts exploitation probability for every CVE on a 0-1 scale, updated daily. Paired with CVSS, it turns a 1,000-ticket backlog into a short, defensible list.
CWE vs. CVE vs. CVSS: The Vocabulary Every AppSec Team Gets Wrong
One CWE weakness class can spawn thousands of CVEs, and a single CVE can now carry two different CVSS scores at once — most teams still use the terms interchangeably.
The libwebp heap overflow that patched half the internet: CVE-2023-4863
One heap buffer overflow in a 15-year-old image codec forced Chrome, Firefox, Edge, Electron apps, and entire Linux distros to ship emergency patches within days.
Reachability-based vulnerability prioritization (Polaris ...
Reachability analysis cuts CVE noise by confirming which vulnerabilities are exploitable. Here's how Black Duck's Polaris reachability compares to Safeguard's pipeline-native approach.
AppSec program consolidation: reducing tool sprawl
AppSec tool sprawl is a consolidation problem, not just a vendor-count problem. A look at Black Duck's product lineage versus Safeguard's unified scanning pipeline.
Vulnerability scanning tools and techniques compared
A verifiable comparison of Safeguard and JFrog Xray on scan coverage, data sourcing, reachability analysis, and CI/CD integration for vulnerability scanning.
CVE Numbering Authority (CNA) status: why it matters when...
JFrog has issued its own CVEs since 2021 as a CVE Numbering Authority. Here's what CNA status really controls, where it falls short, and how to verify vendor-disclosed vulnerabilities.
CVE explained: how vulnerabilities get identified and scored
A CVE ID and its CVSS score come from different organizations entirely. Here's how identification and severity scoring actually work, using Log4Shell and the 2024 NVD backlog as examples.
CVSS scoring explained, and where severity scores go wrong
CVSS score explained through a real case where CVSS, EPSS, and KEV disagreed, showing why severity alone misleads prioritization decisions.