[CramHacks] Newsletter #16: Happy Holidays!

🥳 Happy Monday! 🥳

Well, it looks like everyone is enjoying the holidays because I don’t have much news for you all this week. I hope it was a good one!

Software Supply Chain Security

If you haven’t already, be sure to check out the (2) blog posts released this past week:

• Getting Infinite CVEs via Software Supply Chain Security

• Software Bill of Materials (SBOM): The Gateway Drug to Supply Chain Security

There are several other blog posts in the works, but the likelihood is that the next one will revolve around Artificial Intelligence (AI) and Machine Learning (ML) supply chain security.

PromptBench: A Unified Library for Evaluation of Large Language Models

Microsoft Researchers revealed PromptBench, a Pytorch-based Python package for evaluating Large Language Models (LLMs), enabling researchers to leverage its APIs to evaluate LLMs. The technical report can be found here.

CVE.ICU: CVE Data

Maintained by Jerry Gamblin, cve.icu compiles CVE, CWE, CVSS, CPE, and CNA data provided by NIST and generates interesting tables and graphs.

Looking at the CNA data, there are 290 entries, but we know from NIST that there are currently 345 CNAs - I believe this is because 55 have never been assigned a CVE, but I have not confirmed this. In addition, 92 of the 290 entries had assigned ten or less CVEs.

👋 What was most interesting was trying to derive some of these numbers myself using NVD’s JSON, their API, or looking at other sources like vulners.

Surprise, surprise… each source resulted in a different result, even for something as simple as “how many total CVEs were published in 2023”. Why is counting so hard 🥹.

Until Next Time! 👋 

Hey, you made it to the bottom – thanks for sticking around!

Questions, ideas, or want to chat? Slide into my inbox! 💌

Don’t hesitate to forward if someone could benefit from this.

See you next Monday!
-Kyle