Safeguard
Topic

Vulnerability Management

In-depth guides and analysis on vulnerability management from the Safeguard engineering team.

133 articles

Vulnerability Management

Upgrade Impact Analysis: Predicting Breaking Changes Befo...

Why 70% of security patches sit unapplied for months, and how diffing a package upgrade against your call graph predicts breaking changes before you run npm update.

May 16, 20267 min read
Vulnerability Management

Automated Dependency Patches: How Endor-Style Patch Gener...

Endor Labs generates automated dependency patches using reachability and AI rewrites. Here's how the pipeline works, where it breaks, and Safeguard's approach.

May 16, 20267 min read
Vulnerability Management

Patch Transparency: Auditing Automated Fix Pull Requests

Automated fix PRs from Dependabot, Renovate, and Endor Labs move fast but are rarely auditable. Here's what a real patch transparency record needs.

May 16, 20267 min read
Vulnerability Management

Zero-Day Patch Response at Scale: Can Open Source Maintai...

Zero-day patch timelines swing from 3 hours to 10 weeks across open source projects. Here's why maintainer capacity, not tooling, is the real bottleneck.

May 16, 20268 min read
Vulnerability Management

Microsoft May 2026 Patch Tuesday: No Zero-Days, but Two CVSS 9.8 Wormable RCEs

Microsoft's May 2026 Patch Tuesday shipped without a single exploited zero-day for the first time since June 2024, but it still carried two unauthenticated CVSS 9.8 remote code execution bugs in core Windows services that every domain should treat as emergency patches.

May 13, 202613 min read
Vulnerability Management

Apache Tomcat CVE-2025-24813: a deserialization deep dive

Tomcat's partial-PUT deserialization RCE turned a session persistence feature into a remote code execution path, and the pattern is one Java middleware keeps repeating.

May 13, 20267 min read
Vulnerability Management

Linguistic Lumberjack: lessons from Fluent Bit CVE-2024-4323

Tenable's Linguistic Lumberjack flaw in Fluent Bit's monitoring API was a heap corruption with a wide blast radius because observability sidecars are everywhere and rarely inventoried.

May 13, 20266 min read
Vulnerability Management

CVE vs CVSS vs EPSS vs SSVC scoring compared

CVE tells you a flaw exists, CVSS rates severity, EPSS predicts exploitation, and SSVC drives decisions. Here's how Safeguard and Socket.dev use each differently.

May 13, 20268 min read
Vulnerability Management

The CUPS RCE chain: a postmortem of CVE-2024-47176 and friends

The September 2024 CUPS chain (CVE-2024-47176, 47076, 47175, 47177) turned a printer browsing daemon into a remote code execution vector and exposed how badly long-tail Linux daemons get patched.

May 12, 20266 min read
Vulnerability Management

regreSSHion revisited: defending against CVE-2024-6387 in 2026

How the regreSSHion race condition in OpenSSH sshd reintroduced an unauthenticated RCE on glibc Linux, what the patch trajectory looked like, and the supply chain habits it should change.

May 12, 20266 min read
Vulnerability Management

The ROI of CVE Prioritization with Reachability in 2026

Concrete numbers on what reachability-based CVE prioritization saves: engineering hours, mean time to remediate, and the ROI math that survives finance review.

May 12, 20266 min read
Vulnerability Management

Vulnerability prioritization: moving beyond CVSS scores

CVSS scores flood teams with thousands of "Critical" findings, but fewer than 5% of CVEs are ever exploited. Here's how reachability and exploit data fix triage.

Apr 25, 20267 min read
Vulnerability Management (Page 4) — Supply Chain Security Blog | Safeguard