Vulnerability Management
In-depth guides and analysis on vulnerability management from the Safeguard engineering team.
133 articles
Upgrade Impact Analysis: Predicting Breaking Changes Befo...
Why 70% of security patches sit unapplied for months, and how diffing a package upgrade against your call graph predicts breaking changes before you run npm update.
Automated Dependency Patches: How Endor-Style Patch Gener...
Endor Labs generates automated dependency patches using reachability and AI rewrites. Here's how the pipeline works, where it breaks, and Safeguard's approach.
Patch Transparency: Auditing Automated Fix Pull Requests
Automated fix PRs from Dependabot, Renovate, and Endor Labs move fast but are rarely auditable. Here's what a real patch transparency record needs.
Zero-Day Patch Response at Scale: Can Open Source Maintai...
Zero-day patch timelines swing from 3 hours to 10 weeks across open source projects. Here's why maintainer capacity, not tooling, is the real bottleneck.
Microsoft May 2026 Patch Tuesday: No Zero-Days, but Two CVSS 9.8 Wormable RCEs
Microsoft's May 2026 Patch Tuesday shipped without a single exploited zero-day for the first time since June 2024, but it still carried two unauthenticated CVSS 9.8 remote code execution bugs in core Windows services that every domain should treat as emergency patches.
Apache Tomcat CVE-2025-24813: a deserialization deep dive
Tomcat's partial-PUT deserialization RCE turned a session persistence feature into a remote code execution path, and the pattern is one Java middleware keeps repeating.
Linguistic Lumberjack: lessons from Fluent Bit CVE-2024-4323
Tenable's Linguistic Lumberjack flaw in Fluent Bit's monitoring API was a heap corruption with a wide blast radius because observability sidecars are everywhere and rarely inventoried.
CVE vs CVSS vs EPSS vs SSVC scoring compared
CVE tells you a flaw exists, CVSS rates severity, EPSS predicts exploitation, and SSVC drives decisions. Here's how Safeguard and Socket.dev use each differently.
The CUPS RCE chain: a postmortem of CVE-2024-47176 and friends
The September 2024 CUPS chain (CVE-2024-47176, 47076, 47175, 47177) turned a printer browsing daemon into a remote code execution vector and exposed how badly long-tail Linux daemons get patched.
regreSSHion revisited: defending against CVE-2024-6387 in 2026
How the regreSSHion race condition in OpenSSH sshd reintroduced an unauthenticated RCE on glibc Linux, what the patch trajectory looked like, and the supply chain habits it should change.
The ROI of CVE Prioritization with Reachability in 2026
Concrete numbers on what reachability-based CVE prioritization saves: engineering hours, mean time to remediate, and the ROI math that survives finance review.
Vulnerability prioritization: moving beyond CVSS scores
CVSS scores flood teams with thousands of "Critical" findings, but fewer than 5% of CVEs are ever exploited. Here's how reachability and exploit data fix triage.