CVSS 4.0 Unleashed with Patrick Garrity

Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Chris Romeo (00:09):
Hey folks, welcome to a live edition of The
Security Table.
This is Chris Romeo, and I amjoined by my normal cast of
characters, and we have a guest,but Matt Coles is here, and the
man who only needs a first nameon virtual platforms, he doesn't
actually need a last name, he'slike 8

Matt Coles (00:31):
He usually goes by IT.

He usually does answer by IT or any other number
of names.
But, uh, yeah, so we're superexcited to have Patrick Geraghty
with us today.
Patrick, our audience probablydoesn't, some of them probably
know you, but, uh, give, givejust a brief background about
who you are and kind of what youdo.

Patrick Garrity (00:49):
Yeah, so I'm hanging out.
This is my office.
Turned it into a skate shop.
I've been in cybersecurity forthe better part of the last
decade.
Started my career transitioningout of a managed service
provider.
So lots of hands on experiencein IT.
And then, um, went and helpedbuild Duo Security on the sales

(01:09):
engineering side, go to marketside, moved to Europe.
And then, um, we got acquired byCisco.
Uh, spent some time helping, uh,Census, Spinelli University of
Michigan, helping do discovery,and then, um, worked on a
company that, uh, called Blumirathat does detection and response
in the, in the SIEM space forsmall and medium sized business,
and then, more recently, abouttwo years ago, I got into the

(01:31):
vulnerability management space,uh, by joining, uh, Nucleus
Security, and, um, combinationof help with, uh, you know,
anything and everything, butmore recently, over the last
year, spent a lot of time in thesecurity research side of
things.
Thank Um, which, you know, led,led me to, uh, some of the work
on doing data visualizationswith VulnData.

And that's what we were admiring before we, uh,
clicked the button to go livehere.
Your, uh, that, that, uh, multi,multi colored picture that's
kind of sitting over yourshoulder right above there.
Um, what is, so, so veryquickly, just tell us what that
is.

Yeah, so this is the, uh, CISA, Cybersecurity
Infrastructure and SecurityAgencies Known Exploited
Vulnerabilities list.
So, at BlackHat, it was rightaround a thousand
vulnerabilities, and, um, I justwant to drive awareness that,
like, everything is vulnerable.
Um, and so...
I spent some time doing treemaps and then did some overlays

(02:29):
to create a data viz that kindof shows, like, regardless of
what company you are, theproducts in your environment,
um, are vulnerable.
And so this kind of showsMicrosoft and Oracle and Cisco
and Apache and you name it,pretty much every company has
vulnerable products.
And I think that's a reallyimportant narrative, especially
when we're talking to likeexecutives or stakeholders that

(02:52):
don't understand security.
Um, when we're talking aboutvulnerability management, right?
So, uh, that, that was a bigpart of, uh, you know, why I
intended to do the work.
Um, and it, it kind of took off.
So this is cool.

Very cool.
Yeah.
So topic we wanted to exploretoday is CVSS.
Specifically the 4.
0, the new version of CVSS, butI think it'd be beneficial to
lay a foundation first before wedive into, like, what are the
differences?
What is 4.
0 doing for us?
Let's not assume that everybodywho's watching, listening, knows

(03:29):
what CVSS is or how it appliesto their world.
So, Matt, why don't you set thatup for us since I know you've,
uh, done a little bit ofthinking about CVSS.
Yeah, I've,

Matt Coles (03:38):
uh, I've been involved with CVSS for a while,
uh, as a user as well as amember of the SIG.
So CVSS, the CommonVulnerability Scoring System, is
a production of FIRST, the Forumfor Incident Response Teams.
You know, so incident responseand security teams.
So first.

(03:59):
org.
Uh, the SIG, um, put together,uh, now a total of four versions
of, well, more than that, but,uh, certainly four that are in
popular loop popular.
Popular use.
Uh, fun morning this morning.
So, uh, CVSS 2.
1, which many are probablyfamiliar with if they've seen

(04:22):
anything in the NationalVulnerability Database, uh, from
earlier years, and then, uh, 3.
0, 3.
1, which is the most recent inIn release version, in use
version of CVSS, and then morerecently 4.
0 that launched in, in beginningof November of this year.
So basically the CommonVulnerability Scoring System,
for those who aren't familiar,is a method for determining the

(04:45):
likelihood of exploitation andthe, uh, relative impact of
exploitation.
Looking at severity, not risk.
So very important.
If you take any given issue, anygiven vulnerability and you try
to, and we're talkingspecifically vulnerabilities
here, not weaknesses, butvulnerabilities, looking at

(05:07):
what's its severity relative toother vulnerabilities.
You can use the CVSS calculatorto generate a score from
basically 0.
0 to 10.
0.
where obviously 10 is critical,zero is, is not, uh, and, and
then everything in between low,medium, high, critical on the
scale, uh, and it's, uh, now thede facto standard or, or the

(05:31):
current standard that's in usefor the National Vulnerability
Database.
Many of the security scanners,vulnerability scanners will,
will reflect CVSS scores.
Um, you know, SAST and othertools as well.
Uh, and, and so it's a generallyrecognized, uh, method for, for
determining severity of, ofvulnerabilities.

Okay.
So how good is it, I guess, iswhere I want to start.
Let's, let's, let's just notspend any more time in the kind
of the, the warmup of theconversation.
I

think Matt is biased.
Can I take this?
Yeah, no,

Patrick.
I want to hear your, I want toget your take first.

All right.
Yeah, and you're gonna find,like, um, most of what I'm
critical about is not actually,like, CVSS, it's the aspect of
how it's been adopted.
Yes.
And...
Not biased at all here.
Yeah, and, and to be honest,like, the end users are highly
impacted by this because thereality is, is like, it
shouldn't be them on, on them tofix this problem.

(06:32):
Um...
And so I think that's, we'lltalk about what's so important
with v4, but the biggest problemand challenge is that, uh, CVSS
predominantly the base score isused, um, in almost every
vulnerability management tool,and every time you see a
publication saying there's acriticality of 9.
8 or 10, um, or 9.

(06:53):
9, right?
Um, that's not taking intoconsideration Uh, any additional
intelligence as it relates tothreat.
Um, and CVSS has the capabilityto be enriched.
However, um, you know, NVD, thescore there, is the base score,
and that populates almost everyvulnerability management tool in

(07:14):
the world.
Um, so, when we look at CVSS,everyone has standardized on Uh,
the base score, which, you know,I think 60, 56 percent of things
are critical or high with that.
So, um, I don't know, that's,that's my fundamental criticism
is the fact that, like, uh,there, it's very promising.

(07:35):
Um, but I think, you know, andwe'll talk about V4.
I think there's some greatthings there, but unfortunately,
very, very few vulnerabilitymanagement programs want to use
it, enrich it, um, with contextof asset and, and threat.
So fundamentally that, thatresults in a pretty negative
experience, uh, when you useCVSS for volume prioritization,

(07:57):
right?
So, so can we

Matt Coles (07:58):
just, uh, make sure that users are familiar, uh, you
know, folks who are listeningare familiar with.
So when, when Patrick wastalking about base score, so
CVSS has a, has a collection ofmetrics.
So in 3.
1, there's a collection ofmetrics, um, uh, base, which are
the, the core of likelihood andexploit, likelihood, uh, or,
ability of an attacker toexploit and impact, and then

(08:20):
there are extended metricsaround environmental and
temporal which can be used tomodify the score and get some,
you know, use that additionalintelligence basically or from
a, from a consumer standpointto, uh, to tailor the result
based on their usage and theirUm, you know, their environment.
That's how it's intended to beused.
It isn't always used that way,as Patrick highlighted.

(08:42):
Very,

very rarely! I think it's used that way.

Izar Tarandach (08:46):
Because it's hard!

Matt Coles (08:48):
Well, there is, there is, there is a challenge
there, right?
So in v4, we do try to fix that.
Before we jump into v4, I'll,you know, so...
There's definitely, yeah,there's definitely some, some
challenges there and the SIGtook in that input and tried to
do a better job with, with V4and hopefully we got a baby step
farther along.

So somebody, somebody give me an example,
like how would CVSS be used?
Before we go to V4, let's useV3, right?
As the, because that's been thede facto standard for years, a
couple of years, I think, if Iremember correctly.

Matt Coles (09:21):
2019 3.
1 came in, in 2019.
So 3.
0 was a little bit before

that.
Okay, so 5 years basically it'sbeen in play here.
So, uh, Patrick, give me a usecase here though.
Like, I want to make sure I'munderstanding how CVSS is
supposed to play in my...
How am I supposed to use it?

Yeah, so, well, I think that's an interesting
question.
So, first, I think there'sdifferent ways in which you can
use it, and that I've seenpeople use it.
So, most commonly, most widelyadopted scoring system is, is
adopting the base score.
Um, And frankly, like, PCI DSS,um, requires you to fix all

(10:02):
things, I think, four or higher,which is basically fixing almost
all your bonds anyway.
So we all laugh at that.
Um, but, um, in addition to thebase score, right, and saying
we're going to fix Criticals andhighs, everything seven or
above.
That's, that's mostly how peoplehave operated or used it, or
maybe prioritize things based onwhat scores are the highest.

(10:22):
Um, but the reality is, is like,that's very difficult for most
organizations to patch 60percent of their
vulnerabilities, right?
Um, I think most organizationsend up patching somewhere around
like 10, 10, 15, 20 percent in agood case scenario.
And then there's otherapproaches.
So enrichment of the temporaland environmental metrics, which

(10:43):
then You know, adjust yourscoring accordingly, and we'll
prioritize things that, um, havethreat or, or environmental
context that increase yourrisks.
Um, I see very few peopleadopting those things today, and
I think, like, we'll talk about4.
0.
I think there's some greatshifts, and I think part of it's
even a marketing problem, um,and terminology problem, um,

(11:07):
product terminology problem, um,with some of it.
Um, And then the other way I'veseen is people actually using
the metrics themselves.
So, for instance, like, um, youhave attack vector, or you have,
um, uh, I'm spacing on themetrics, I should pull them up
as I'm talking.
Um, but, you know, you can makeinformed decisions to say, Oh,

(11:30):
wow, this is exploitable, uh,via network.
Like, it, it, you know, you canremotely RCE this, for example,
with, I think, two attributes,you can figure closely that out.
So, you know, Yahoo, forexample, and I, this is public
information, Chris Madden usesdecision trees with stakeholder
specific vulnerabilitycategorization to incorporate

(11:52):
threat.
So something like KEV in adecision and then further use
the CVSS metrics themselves tosay, Oh, the attack vector is
network.
Um, Oh, no privileges arerequired.
Like that's a really high, um,higher probability.
So it makes sense to decision onthat.
Um, so those are, those are kindof like three different ways

(12:14):
I've seen, uh, in the wild, um,CVSS being adopted, uh, as it
relates to vulnerabilitymanagement programs.
And that's on the, um, sorry.
Yeah, that, that's more on theinternal vulnerability
management teams.
I think there's another side ofthis, which is like
vulnerability disclosure, bugbounty, slash like software

(12:36):
development.
Um, which I don't spend as muchtime on, right?
Um, that, that Matt or Izarmight be more familiar with as
far as some of the ways there,uh, and how it's used.

Matt Coles (12:50):
uh, you know, so what?
One thing I do want tohighlight, and this is sort of
why NVD, we see NVD using onlythe base scores.
Today in 3.
1, the base score is intended tobe used by vendors.
People who, who havevulnerabilities and they, and
they get the, you know, they geta CVE for it, for instance.
The base score is intended to beused from, from a vendor

(13:10):
standpoint.
The temporal and environmentalmetrics are intended to be used
by consumers of vulnerabilitiesand how that vulnerability will
impact them, right?
So for instance, if they have a,if there's a library, then
upstream, you know, providerprovides a library and that
library has a vulnerability, youget a base score.
Then when you consume it, Whenyou consume it, you're then,

(13:33):
when you, when you consume it,you're going to then modify its
characteristics based on howyou, how you make use of that
library, or that component, orwhatever the case may be.
Yeah,

yeah, I want to interact with, uh, so we have
the ability to look at commentsthat people are putting as we're
having this conversation, and soI want to put up Dan, uh,
Kuykendall's, uh, comment here,because I want to have the panel
kind of react to this, like, itseems like this, that, like,
what Dan's suggesting is kind ofin line with what, uh, Patrick,
you were saying, um, I think youmade this little, this kind of

(14:06):
similar statement, but Patrick,what's your reaction here?
Do you think Dan's, is Dan righton here and his assessment of,
of how CVSS has been classicallyapproached?

Um, yeah, so I, I think a few things, right,
which is, I think there needs tobe more vendor responsibility of
adopting CVSS enrichment.
Um, so the, like, truthfully,um, part of the challenge is
that it has.
Uh, difficult for vendors to getcustomers to provide, choose the
metrics.
So, like, I don't know that thecustomers should choose.

(14:37):
I think, like, it should be autoenriched.
Um, maybe the environmentalmetrics, there's some choice in
that.
But, like, that's where we needto get to, to get broad adoption
of CVSS beyond base score, is,like, the work has to be done
for the consumer.
And I know there's some workthat they're going to have to
put in, but, like, None of thevuln management tools out there
do this for them today that I'maware of, that I've ever seen.

(14:59):
Like, all of them justincorporate a base score.
There might be, like, a rareexception to that, but, like,
the most popular tools, um, youdon't really have the luxury of
modifying even the CVSS scores.
Um, so that, that, that's a realthing that needs to be overcome
in order for people to, toreally get value out of CVSS
with their vuln managementprograms.

(15:20):
And it is something, too, like,even, even on our side, like, We
believe that v4 makes it mucheasier for the product companies
that are delivering VM tools todo that, uh, which is pretty
exciting.

Matt Coles (15:34):
So in this case, Patrick, you're talking about
using, uh, you're not talkingabout changing the way that CVSS
works, you're talking about theimplementation by tool vendors
that should come with context.

Yes.

Matt Coles (15:48):
And we've talked about this, I think, on the
security table in the past aboutthe problem with many of these
tools, SAST, bad word, DASTtools, as Chris is known for,
uh, that, and S, and S, andpotentially, you know, or, you
know, static code analysis atthis point, uh, context is
always a problem.
And so do the tools know whatit's, what they're looking at?

(16:11):
Can it, would it be able toprovide the right information or
at least give options to, I knowthat some tools will ask, like,
what type of system are youbuilding?
And, and, uh, yay.
Yes, another, another DAST fanover here.
Um, so, um, yeah, so it's, it'sinteresting to, to see how that

(16:34):
turns out.
It's nice to see that, you know,it's nice to know from a SIG
standpoint, I think, that CVSShas the capabilities.
I'll leave it at that.

And there are like, there are some things I
think too, like there is moreOSINT, like there wasn't OSINT
data regarding vulnerabilitythreat intelligence, very
accessible until more recently.
Um, so I think the other thingsis it would be nice to even see,
like, maybe upstream, like, NVDenrich CVSS scoring with a

(17:08):
threat intelligence that'savailable, like, SysEqEv, Non
Exploited Vulnerabilities List,and, um, EPSS would be another
example.
Um, so I think there's someinteresting things that could
happen, um, that would make iteasier, because in some ways,
like, if, if CVSS did that work,actually, before it hit the
vendors, That would even make iteasier for it to get broader

(17:32):
adoption.
So generally speaking, like, Ilove to be a voice, even myself,
of trying to get vendors, um,not only us, to adopt open
standards like CVSS, CVSS BTScore, um, BTE, uh, which we'll
get into when we talk about 4,EPSS, CAV.
Um, like all these things aregreat for, um, product companies

(17:55):
to be implementing.
Uh, and putting in theirproducts, and we're seeing a lot
more adoption of that, which isgreat.

Matt Coles (18:01):
Well, and actually, can, oh, sorry, can I just, uh,

Yeah, please respond.

Can you hear me now first?

Yes, Izar's back!

Yes, yes, yes!

Matt Coles (18:10):
So, uh, this is probably a good segue into v4,
because of some of thecapabilities that we're adding
in v4 that vendors can takeadvantage of, or vendors can
use, that consumers can thenleverage, uh, in their, in their
use.
Uh, so, to introduce it a bit.
So CVSSV4 takes and expands thethe number, the metrics have

(18:33):
expanded.
We've done some changes from 3.
1 to address.
Uh, confusion, the way thatthings were, were being set in,
in 3.
1 that often resulted inmisscoring or confusions about
scores, uh, especially when itcame to things like how scope is
handled, uh, and we can talk atlength about that if you want,
um, but, but the really, the keypart I wanted to highlight

(18:54):
because, you know, what Patrickwas mentioning was supplemental
metrics.
So, while supplemental metricsdon't affect the score, it's
additional data points thatvendors can provide to their
consumers so that they can, um,interpret the results
appropriately and make importantdecisions from it.
So, it was important tohighlight that just because of
the topic.
Um, we can dive into that inmore detail, uh, as we go.

Yeah, I'd love to get, um, I'd love to get
Patrick's take on CVSS4, kindof, from that perspective, uh,
as far as what you've seen asyou've kind of studied it and
analyzed it.

Yeah, so I think, I think like proceed with
caution, I tell people, and thereason, the first reason why I
say proceed with caution, isn'tbecause, um, of any reason other
than like, it just came out, um,It's really not being used or
leveraged, it's not in the NVD,um, so saying like suddenly
we're going to do 4, CSS version4, doesn't mean much, um, I

(19:50):
think right now.
And so there's a long tail oftime, like almost like with any
product coming to market, wherelike all these things need to be
true to where it's going to beusable at least for, uh,
vulnerability management orproduct security teams, right?
Um, at the same time, like,there's no rescoring of previous
vulnerabilities, so if youstandardize on version 4, you

(20:13):
still have to leverage and useprevious versions for older
vulnerabilities.
Um, so, you know, I think thisis just the dynamic of, like,
the reality of, of, um, how CVSShas worked, um, in
consideration.
That being said, like, I thinkit's really promising if we're,
like, going, okay, from now on,moving forward, like, maybe we

(20:33):
consider leveraging and usingCVSS version 4.
Um, but once again, like we needvendors to get on board with
enrichment.
Auto enrichment, I think, ishuge.
I think talking to someintelligence firms, the concept
of enriching and creating a BTscore is possible without having
any asset information.
So I think there's some really,uh, interesting and promising

(20:55):
things that could be done.
Um, oh, and I see that anadvisory.
So, um, you know, that that'sthe first thing from my
perspective.
I do think that the change, um,in the scoring methodology is
going to provide betterdistribution.
If you're only using a basescore based on my work of doing
calculations, it looks like thescores will generally be as high

(21:17):
or higher.
Um, but, um, that being said,they'll be better distributed.
Um, uh, which is a, a big bonusas well.
So, yeah, and that statementcould be inaccurate.
I did my work in, like, June.
Um, but my guess is, is, like,generally using the base score
is probably going to feel thesame, um, uh, as it did before.

(21:41):
Um, so you really, if you'regoing to adopt CVSS version 4,
want to look to how you can, uh,you know, get to a threat and
environmental side.
And the last thing I'll just sayin, in version 4 is, I think the
marketing side, like, in someways, what CVSS did in putting
nomenclatures together, um, it'snot as if the nomenclatures

(22:04):
didn't really exist before, butthis is an example of where
marketing can really help.
Um, these nomenclatures breakout the base score, which is
called CVSS, uh, dash B.
Then you have the base andthreat metric score, which is
CVSS base, uh, plus threatmetric.
And then, um, you have BTE andBE.

(22:27):
So, BTE would be your base scoreplus the threat enrichment plus
the environmental metrics.
And that would be the, like, theultimate goal is pretty much a
universal risk score.
Um, uh, I might have said thatwrong.
Matt's like, yeah, maybe, maybea little bit, but, but I think
you're getting into...

Matt Coles (22:46):
Less risk, more severity, right?

Yeah, but if you're getting into asset
context with the environmentalconditions, then I think, like,
it, it does get much closer torisk.
Um, and so I just think, like,that, that's some of the
promising aspects of, I think,CVSS version 4.
Um, depending on which vendors,and I think, like, Nucleus is an
example of the company I workfor.

(23:09):
Where since we're like anaggregator and looking at all
this Um, we have the opportunityto do that, whereas, like,
that's a lot harder to do on ascan tool, for instance, right?
Um, so I'm, I don't know, we'repretty, like, I'm pretty
bullish, and Nucleus is prettybullish as far as, like, the,
the possibilities of, um, CVSSversion 4, uh, and how it could

(23:31):
be used and adopted, uh, withinVuln Management and product
security programs.

Izar, you've been waiting so long to say
something.

Yeah, can I get one in there?
Oh! So...
I don't know if you guysdiscussed this already when I
was off, but my thing with CVSSand going very much into what
Patrick said about marketing isthat there was sort of a
miscommunication somewhere inthe way that people understand

(24:01):
it and the way that people useit, and as you alluded before,
people started adopting it as ashow of risk.
Very interesting.
And, uh, uh, CVSS very quicklyfor me became what I internally
call the panic index.
Oh, it's a 10, it's a 10, let'srun around with our heads on
fire, and yeah, it's a 10.
And, uh, uh, as you guys knowway better than I did at this

(24:24):
point, it's not always the idea,right?
But one big thing that wasalways there for the users, for
serious users of CVSS, in myopinion, is that, yeah, you get
a nice index out of it, but theindex itself is not the whole
story.
The index has to be usedtogether with the vector so that

(24:45):
you can tell the story behindthe index.
And people very quick becamevery adept at interpreting the
index, but not quite so at thevector.
And, uh...
What I'm afraid of now is thatCVSS gets derived into
C-V-S-S-B-B-T, BTEE, TEBB,whatever we mix in there and

(25:11):
people are going to have an evenworse time at understanding
that.
So touching back into what youmentioned about marketing, now
that the standard is out, whatis the SIG planning to do in
order to make this thing.
Easier for people to consume.
And perhaps, fix the mistakes ofthe past?

Nobody wants that one.

Well, you asked about the SIG, and Matt's the
only one on the SIG!

NERVE!

Matt Coles (25:44):
Alright, so, let me try to unpack that, uh, a little
bit, but uh,

But I was so explicit!

Matt Coles (25:51):
You were.
So, I think, first off, youknow, putting better...
So, one of the things that wedid, we tried to do in the SIG
was to, um, really focus ondocumentation, so the
specification, the user's guide,there's an FAQ, there's examples
to help people with scoring, andalso given that the, um,

Hey Matt, on the, on the training note,
right?
Yeah, yeah.
That you're talking about, like,I think last night or the night
before I went to first.
org and I went through the, the,the V4 training.

Matt Coles (26:24):
Oh good, how was it?

Yeah, I just want to emphasize, like, that's
available to everyone.

Matt Coles (26:28):
Great.

It was good, it took like half an hour to an
hour.
It's a good overview for peoplethat are in vulnerability
management or want to becomemore.
familiar with CVSS.
So, um, yeah, kudos on that.

Matt Coles (26:42):
Thank you.
That was really important.
Uh, obviously training, trainingis hard.
Documentation is necessary.
One of the things I think youhighlighted earlier was, you
know, that people are unfamiliarwith certain aspects of how CVSS
is intended to be used or, orcould be used.
Uh, there's, I imagine a numberof folks probably don't know
that there are, there'sguidelines for vulnerability

(27:03):
chaining.
There's guidelines for, uh,different types of components.
component usage and how, howthat will affect your CPSS
scores, uh, and there'sdifferent, uh, and there's
guidance or information in theuser's guide and the examples,
um, for, uh, some of the, wetried, we tried to get ahead of
some of the new questions aroundthings like, uh, so what, so a

(27:26):
couple of the big changes thathappened in V4 from 3.
1 was we changed how scopeworks, right?
So scope, originally was iteither has or has not changed
based on, uh, you have avulnerable thing and then you
have some, some impacted things,uh, and, and scope change occurs
when you, when the vulnerabilityoccurs in one component but

(27:47):
affects a different component.
But what wasn't clear was whatdoes scope change really mean
from those, from those metrics?
And so in v4, we split those outso now you can have some, an
impact against the vulnerablesystem and or.
The subsequent system, theimpacted systems.
And so you get better clarity.
And so we took a lot of effortto make sure documentation was
clear on those points.

(28:08):
Uh, likewise, many of the otheraspects around how usage, uh,
you know, usage of the, of thecalculator and, and as to Izar's
point about what the, what theindex or severity label means
versus the score.
And so you get betterinformation, better data out of
the calculator, uh, or, or whenyou generate the score, you get

(28:29):
better data that's, that'sencoded in the vector string
that can allow you to makebetter informed decisions.
Uh, and, and that was a reallybig focus area for us.
I also see there's something inthe chat.
Somebody was asking about, well,what about things like medical
devices and whatnot?
And so we, um, one of the nicethings about V4 is, um, that it

(28:52):
has, has added metrics or metricvalues around functional safety.
So safety of people, not just ofsystems.
Uh, and so this was an attemptto start to introduce, um, the,
the human aspect to, to, toCVSS.
So previously it was primarilyaround data and function,

(29:12):
confidentiality, integrity, andavailability of data, but now it
can also include, uh, whether ornot a, uh, a vulnerability can
impact, uh, you know, eitherdirectly or, or indirectly
impact uh, safety in a, in asystem.
So if, if that system is beingused as a medical device or, you
know, favorite, favoriteexample, nuclear power plant

(29:33):
control, uh, then, then thoseare, those are kind of important
to understand that thisvulnerability, you know, may not
be serious, but it may have asafety impact, and therefore you
want to take it, take attentionto it.
So, yeah.
Can I ask

a, can I ask a question about the complexity of
this thing?

Matt Coles (29:50):
Thank you.

Oh, that's, that's my grape.
Is this

is CVSS 4.
0 calculator and the entirealgorithm that's been created.
Is this for everybody first, oris this just for people who are
in the trenches deep enoughwhere they can understand all
these different things.
Because I'm looking at thecalculator and I've got attack
factor, complexity,requirements, privilege

(30:19):
required, user, I mean, I've gota lot of things that are...

And your eyes are just glassed over, right?

But it's kind of, but I don't understand.

But wait, you're asking about the calculator or
you're asking about thealgorithm behind the calculator?

Well, I mean, the calculator implements the
algorithm, I hope.
Yes.
I hope it's something different.
Wait, yes, but?
What does that mean?

Matt Coles (30:39):
Yeah, what does that mean, Izar?

Okay, so, on 3.
1 and before, you had this niceformula, you changed the levers,
and the levers serve as flagsfor multipliers of weights, that
at the end give you the nicenumber.
But now when you look behind thething, you have, what was it
called, uh, the...
Equivalence nuts.

(31:00):
Equivalency nuts.
The equivalency sets that pointout to strings that have to be
built dynamically, and theneach, each, uh, group of strings
points to a bucket, and thatbucket represents something
else, and...
It wasn't easy to go through allthat stuff, I have to tell you.

Matt Coles (31:20):
But you don't have to.

So, so I think...
Yeah, I think there's a fewthings to unravel here, like...
99 percent of the world willnever understand how CVSS works,
and they shouldn't have to,right?
Right.
Um, but there's a fundamentaldisconnect between CVSS being a
protocol that does this thing,right?

(31:42):
Like, does everyone understandhow...
Emailworks and SMTP and all thatstuff.
No, but they use it every day.
We do.
Yeah, you all do.
But yeah, but outside, you know,outside the circle.
So I think there's this realitythat it's like, well, the
challenge, right, is the eventthat most, there's only a few.
Very few sophisticated, verymature organizations that can

(32:05):
adopt CVSS, um, at a, at a levelof scale.
You have to have sophistication,right?
Um, and so, I'm not sayingeveryone in the world is dumb,
but it's just the reality thatit's like, Is this the most
important thing for them tounderstand in the job role?
Um, probably, probably not formost, um, if you're in vuln in

(32:26):
management, like, you probablyshould know some of it, but the
reality is, is I meet a lot ofvulnerability management and
product security teams that knowabsolutely nothing about
vulnerability, um, uh, scoring,right?
Um, and so that's where I think,like, I'm incredibly biased
towards, um, there's adisconnect, and I think part of
the marketing needs to be tovendors, um, in, in

(32:46):
interoperability, where they'readopting these standards.
And they're doing the work forthe consumer.
Like, they're enriching threatintelligence of the CVSS score.
So they don't have to know ifthey're using CVSS B or BT or
BTE.
But the reality is, is like,good luck trying to get Tenable
or Qualys to do that, or anyother, you know, I'm not trying

(33:08):
to criticize, but like, you havehundreds of vendors out there,
um, that you have to go advocateto actually make this a
possibility.
Um, and so, I think that's likethe biggest challenge that CVSS
v4 is gonna have.
Is the right adoption within thetools that are out there in
these existing customerenvironments because like

(33:29):
they're going to keep on usingthe CVSS score that whatever the
tool in their environment isspitting out.
Um, and that's the, you know,that's the harsh reality.

So I want to come, I want to come back to Matt here
and ask this, this complicationquestion because I didn't get
his answer on that, but like,is, is this too complicated or
is it okay?
Because it's not for everybody.

Matt Coles (33:49):
Well, so.
I want to, I want to tackle theis this for everybody.
CVSS should be used, in myopinion, my personal and my
professional opinion, that CVSSshould be used by anybody who's,
who's scoring, who needs toknow, wants to do an apples to
apples comparison at the veryleast, you know, or wants a
consistent way of calculatingthe severity of an issue.

(34:13):
Now, do they need to understandthe math behind it?
To Patrick's point, I think theanswer is no, right?
People rely on technologies allthe time, but they don't
necessarily understand how itall works underneath.
And that's okay, because thecalculator abstracts out four of
them.
It's important to know what themetrics are, what they mean.

(34:33):
So when we say attack vector,what does attack vector mean?
What does it mean to be networkversus adjacent?
Right, that's important to know,but that's important to know if
you're doing, if you're creatingvulnerabilities or working on
vulnerabilities, that'simportant to know because
that's, that's how you wouldthen specify mitigations or how
you would look at risk or, orother things that, that should

(34:55):
be part of your, of a jobfunction there.
And so, um, is this foreveryone?
It's, I think it's for everyonewho has a usage for it.
And whether or not it's using aeasy to understand formula, or,
and by the way, the old CVSSformula I don't think was, was
trivial to understand either.
Uh, the use of, of equivalencysets doesn't make it worse.

(35:20):
Uh, it is, it is a bit more mathy.
Uh, there's, there's more, somemore theory to it, but, uh, but
it gives more, Um, expressive,uh, results, right, which is the
important part.
Um, so, I think in that regard,I would say it is for everyone
who has a need to use it.

Izar?

So here's the thing.
First of all, clarification.
I agree.
4.
0 will bring us better results.
With that said, I have to playthe devil's advocate and say...
Are we creating a trust me broeffect here, where I say, this
is the CVSS result, and behindthe curtain, how it got, how it

(36:05):
got gotten to, it's not really aproblem, just trust us, we went
through the math, and the mathis good.
And at the same time we advocatefor people to know as much as
they can about the things thatthey run and the things that
they own, so are we giving mixedmessages in here?
And what if somebody, a vendor,comes in and says, you know
what, I question this CVSSresult that I got.

(36:27):
And nobody can, a small numberof people can actually go and
say, Okay, let's look at themath and see how you think that
this thing broke.

Matt Coles (36:38):
Yeah, so I will, I'm going to give you my perspective
here, which isn't necessarilythe common perspective.
Well, I'll give you myperspective.
I don't know what the rest ofthe SIG would say, but, uh, You
know, the, the, the CVSS SIG ismade up of, uh, what, 50
different, 50, 50 plusindividuals from, from

(37:01):
organizations that range from,from individual people who are,
you know, who do this for, whodo vulnerability management or
vulnerability discovery forliving all the way up to small,
medium, and large organizationsand governmental and non
governmental agencies.
Some people have a heavybackground in math and computer
science.
Others have, you know, historyand another back, you know, and

(37:23):
program management and programdevelopment experience where
they're doing theirvulnerability managers.
So a whole range of experiencesand understandings and
perspectives.
And this was, uh, you know,implemented, tested internally.
Beta tested with, from, youknow, with outside people who

(37:45):
provided comments.
We got comments from theindustry about the scoring
method, about the approach,about the calculator and all of
its details and all thedocumentation, uh, and over the
course of the past X number ofyears.
And so this has been wellvetted, I would say, right?
So it's important to highlightthat this is a community effort,

(38:08):
obviously, of initially ofmembers who, people who are
members of FIRST, which arepeople who have a vested
interest in understanding howvulnerabilities are scored and
managed and acted upon.
And then.
And then beta tested with thecommunity at large, the people
who will be consuming theresults of the calculator and
all the documentation, etc.

(38:29):
And so over that period, wetried to address any of the
comments that came in.
So, is it perfect?
Unlikely.
Is it supportable?
I believe it to be.
Uh, and, um, and then time willtell if it becomes trustworthy.

Yeah, I think, uh, you know, one, one thing
Izar, too, on that note, like, Iresearch threat intelligence
sources, EPSS, exploitprediction scoring systems,
CVSS, I will tell you, like, Ido think that people ideate a
little bit too much onperfection.
Um, and, and it's really likewhen you have 240, 000

(39:11):
vulnerabilities, it's reallyeasy to pull out all the ones
that are anomalies that aremisscored or like should be
higher, or like, I can tell youevery scoring system I've looked
at.
Um, and like, hey, why, whydoes, why does every threat
intelligence source havecompletely different
vulnerabilities on it?
Um, open source and non opensource, and I think that's a,

(39:34):
that's, that's a bit of thereality of like the, the
complexity and the state that,that we're in right now, uh,
too.
Um, and so I try and cautionpeople, like, every time someone
shows up to the EPSS SIG, theypoint out that, like, there's 10
KEV vulnerabilities that have avery low score.
Um, and then it's explaining,like, well, yeah, this is a

(39:54):
machine learning model, and thisis how it works, and, like, oh,
by the way, like, um, Justbecause something was exploited
10 years ago doesn't mean thatit's going to be exploited in
the next 30 days.
Um, so a little bit differentthere, like, because we are
talking about ambiguity withmachine learning, um, and it's
not logic, you know, uh, drivennecessarily, but, um, Yeah, I

(40:15):
think that's one of the, one ofthe biggest challenges we have
in vulnerability management islike, everyone is just like,
where's the silver bullet?
Where's the silver bullet?
Where's the silver bullet?
Uh, and, and reality is, islike, there's a lot of, lot more
work to be done.
Um, and people need toacknowledge like, where to
prioritize.
Um, their efforts, and startingwith a CVSS base score is

(40:39):
probably one of the worst thingsyou can do.
Um, uh, for a vulnerabilitymanagement program.

Matt Coles (40:45):
As a consumer.

Yes, as a consumer, sorry.

Matt Coles (40:50):
As a vendor, that's where you start.

Yeah, it's critical.

So, thanks to both of you for the answers, but
just to add a bit more fire onthe pile, uh, Patrick, you went
to a PSS.
And in there, there isn't even asemblance of trying to make the
algorithm known.
It's already known, hey, it'sclosed, no, you can't look
behind the curtain, and you knowwhat, just accept the number,
work off of it.

(41:14):
And, uh, I don't know, somethinginside just tickles me, that we
are trying to get all thisclarity and all this
understanding, and everybody tolook at the same thing.
It's not even a silver bullet.
It's to look at the same thingthe same way so that we can go
after the important thingsbefore everything else.
And at the same time we aremodeling the way that we get to
that angle.
So, while I agree witheverything that both of you

(41:36):
said, And yes, this is gettingbetter than it was a year, six
months, three months ago.
And it's probably going to getbetter as we go forward.
Something still doesn't fallright with this whole believe us
thing.

Trust

I would like to have some more clarity.

like vulnerability management has
failed at this for decades, sothat's why nobody has trust.

Yeah, so now we are failing in a different way.
We're failing in a way of, uh,remember when to, to, uh, run a
computer program, you had to goto people that wore white coats
to closed labs, and you had tojust ask them to please talk to
the machine.
The feeling now is that, again,we are putting an intent...
An interpretation layer betweenthe things we want to know and

(42:23):
the people who are telling uswhat we need to know.
And, uh, I think that with thewhole everything is open
approach, I probably gotinfected by that virus and
something tickles me wrong.
But I definitely see what youtwo are saying.
So I'm not saying that it'sinherently bad, I'm just saying
that it's funny in this time andage, I guess.

(42:45):
Well, so what, what,

Matt Coles (42:47):
thank you for your perspective.
What do you need to see?
So if we're looking at thefuture of, you know, say CVSS,
right?
So we're looking at 5.
0 in the future, right?
What do you need to see out ofit?
What do you think is missing?

Okay, let me come clear here.
No, let me come clear.
I have a degree in math.
The only reason they gave it tome is if I don't use it ever.
So, I'm coming from that point,okay?

(43:23):
The thing that I liked aboutCVSS 3.
1 was that I could look at thatline, at that, at that equation,
set of equations, look at theweights, and start understanding
immediately what was it that,why one thing is considered to
be more important than anotherin building that final panic

(43:43):
index, right?
And on CVSS4, it's very, to meat least, very difficult.
It's not as clear as I think itshould be.
I think that the whole thingthat I'm saying is, it would be
great, and perhaps the reason Ijust don't know, it would be
great if there was somedocumentation to the

(44:05):
documentation that would explainbetter.
how those sets of things weregotten to and what they actually
represent.
And I understand that it was acollection of data from a lot of
different sources and somebodybucketized those things and from
there came the, uh, the sets.
But I think that it'd be greatif somebody took the time to

(44:26):
take us by the hand and lead usthrough the whole process, just
so that adoption can be a biteasier because people understand
a bit better the things that wedidn't understand about 3.
1 and before.
You see what I mean?
It goes to that marketing piecethat Patrick brought up.
If we want this, and I wantthis, to be adopted, it has to

(44:50):
be clear.
And right now it's not to me.

Matt Coles (44:55):
Fair enough.

I think, yeah, I do think to some extent I
agree with you, but I think timewill tell as we see how things
are scored to, um, that was oneof the things I recommended that
I was a little bit disappointedin, and maybe, maybe I
interpreted this wrong, but I'mlike, why don't we go and
rescore the last 20, 000vulnerabilities, right?

(45:15):
And see how this model works.
Um, and so I, I, like, I'm notpart of the SIG.
I'm speaking on my, my, mybehalf, but I'm like, Logically,
if I'm building a product, Iwant to see the outcome, and I
do think there is a little bitof this, like, yeah, just trust
us, like, we believe it's thebest math, um, and I think

(45:37):
there, it's, it's documented andclear, but also I think we're
moving past it.
Thank you.
A point of like logic in a lotof these algorithms or machine
learning where there is nologic.
Um, well, I don't know, maybethe wrong word is no logic, but,
um, Like you can't, you can'tjust say like, here's why the
machine learning model told uswhy this vulnerability is the

(45:57):
highest rate.

There's no explanation to the logic that
perhaps exists.

Yeah.
And so like when we're lookingat artificial intelligence and
machine learning and things likethat, it like totally throws
things out the door.
What I can tell you from myresearch is what I did and what
I suggest other people do isthey should spend time
intimately understanding whatwhat they're going to use to
measure in their vulnerabilitymanagement or product security
programs.

(46:21):
So like if you're going to useCVSS, you should probably spend
a lot of time becoming familiarwith it and how it works.
So that you know what impactthat's going to have on your
organization.
Like, then, for me, I went toEPSS, and I was like, let me
learn everything about this, andlike, why are these low scores,
and I'm looking at threatintelligence, and there's known
exploitation.
Well, you, you know, it took mea while to start looking at

(46:43):
these different parts of thepie, and realizing, like, each
one of them has its own uniquevalue, and the more you
understand and use, probably thebetter your vulnerability
management program is going tobe.
But like, that's a hard thingright now because none of these
things are correlated.
Um, the, the data sets are outthere and all over the place.

(47:08):
Um, and so I think, you know, tosome extent we're, we're, we're
talking about like Most OSINT,um, you know, vulnerability
intelligence sources just camearound in the last, I don't
know, two, three, four years.
Kev, Kev, two years this month,right?
And, um, EPSS, maybe three.
Uh, so I, I think we're, like,really, uh, early on.

(47:31):
Um, and I, I do think, like, youknow, there's some interesting,
like, uh, like creating scoringsystems by different vendors and
trying to obfuscate all this.
Um.
I think you have like Qualystrue risk score, um, Tenable has
DPR, but the challenge is, isthen we're, we're moving to
proprietary standards and thosedon't scale across an enterprise

(47:53):
across all the different tools.
Um, so yeah, I think, I thinksome of it's maturity, right?

Matt Coles (47:59):
Yeah, so Patrick, just to your point about
rescoring, so we did, I mean,we, we certainly did within the
SIG, and then I, and then Ithink during the beta process,
there was additional rescoringof select, uh, select score,
select things, um, from the, themembers of the SIG, um, or from,
uh, you know, that, that werepublicly available

(48:19):
vulnerabilities.
The hard part, I think, that we,you know, that needs to be
recognized here is many of theold vulnerabilities that are in
NBD don't have sufficientinformation to know All of the
details like you're not a vendorat that point.
You're a consumer, not a vendor.
And so, uh, you know, you can'tnecessarily know all of the

(48:40):
intricate aspects to be able tocreate the base score at the
very least.
Right?
Um, so if there's, if so, forinstance, if the system, if the
score says scope change, yes.
If you're looking at a 3.
1 score originally in NVD, it's,it's challenging to know whether
the CINA impact was for thevulnerable system or the

(49:04):
impacted system or somecombination thereof, right, so
that you can then create aproper V4 score with a
vulnerable impact and asubsequent impact.
And so those, those sort ofchallenges, uh, are, are, and I
see you're smiling.
I know you probably were.

Well, I did, uh, what I did in my research is
I created ranges, right?
So I had a high and a low range.
So like the attributes thatdidn't map one to one, I like
literally determined like, well,this is the lowest score it
could be and the highest scoreit could be.
And then I, I baseline thatacross all attack, uh, all
vector strings for 3.1 and 3.0.

(49:43):
Um, and yeah, basically itshowed it's like, you know, I
have the, the visual somewhere,but like generally those plots
were higher.
Um, uh, but they were betterdistributed.
So like not, not 10 percent ofthe vulnerabilities are scored
as a 9.
8.
Um,

Wait, that's bad?
All right.
So I want to, I want tointeract.
I know we've got, we've had agreat audience that's been
following along, uh, both onLinkedIn and YouTube with us.
And so I want to, I want tointeract with some of the.
Comments and questions thatwe've seen come through here.
We've interacted with a few ofthem just because they were in
the middle of the conversation,but let's take a look at this

(50:21):
one from, uh, Buddy Bergman,who's asking a specific question
in regards to using the vendor'senriched vulnerability severity,
specifically calling out PCI'spatching requirements for
critical or high.
Um, Anybody have?
Looks like Patrick has anopinion on this one.
Patrick, what advice would yougive Buddy here, though, in
regards to this issue?

I'm not a lawyer.
Uh, yeah, I mean, like, like,here's the thing, right?
It's like, the way it's written,from my understanding, is you
basically have to use the basescore in patch 4 or higher for
your PCI environments.
Um, what I thought would bepromising, right, is maybe
compliance standards.
could incorporate to say, hey,you can use the BT score, and

(51:04):
that would then be sufficient.
Um, so I think there's somepromising hope, like...
Yeah, good luck lobbying PCI tochange their standards, and oh,
oh, by the way, all the othernew standards, and I do think
that standards are becoming moreimportant, like just this month
we saw NYDFS, um, also, uh,acknowledge vulnerability

(51:25):
management and doing it based onUm, risk prioritization.
Um, so maybe they would qualifyBT or BTE score as a
consideration, uh, for thatrequirement.
And that's what is exciting tome about Open Standards and CVSS
is like, yeah, if we can havecompliance requirements that

(51:46):
say, hey, We'll let you use theBTE score and do 7 or higher?
Wow, that's gonna makeeveryone's life a lot easier.
Um, so, you know, that wouldprobably be my, you know, tying
to PCI and, and all the otherregulations coming down the,
the, the, um, pipe.
Like, they're too vague.
Like, do it based on riskscoring.

(52:06):
Like, do it based on Kev.
At least Kev is, like, Kev is astart, right?
But, um, I think there's just somuch more than that from my
perspective, and if weincorporate the nomenclatures
into compliance, it could helpout a ton.

Here's another one, uh, from Itamar.
Uh, what are some open sourceinitiatives vendors can partake
in to help with enrichment?
So, back on that enrichment kindof topic here, um, Matt, is
there anything that comes tomind from your perspective?
I know you got a good, you havea wide view of...
What's happening in the space.

Matt Coles (52:38):
Well, so...

I don't know what that...
The dog was just recommendingsomething.
I couldn't translate it though.
Izar is normally our translator.
But go ahead.

Matt Coles (52:48):
So, um, so the, uh, um, remember the arrangement
that Patrick was talking aboutwas really having tools when
they spit out scores to provideadditional information or make
use of that additionalinformation to refine the scores
that come out.
Or the vectors that come out.
And so open source initiatives,uh, I guess.

(53:11):
Open source initiative vendors,meaning open source maintainers,
um, can help with enrichment bywhen they build tools, allow
users to provide or allow forthe ability to detect conditions
that can be used for context,right?
So if you're, you know,maintaining OpenVAS or, uh, or,

(53:33):
you know, a similar open sourcetool like that, um, you know, it
was a vulnerability scanner.
Maybe have a collection, havethe ability for a user to
provide either at the CLI or asa configuration file information
about the system that's beingscanned so that you get better
results, right?
If you're using SEMGREP or, or,um.
Uh, or, uh, you know, um, Idon't know, FlawFinder or

(53:54):
whatever, um, that, that thatcan also likewise provide
context so you get better,better scoring information,
right?
The hardest, the hard part with,uh, the hard part with the TE
portion, the, the, the, um, youknow, non base or beyond base
metrics is it comes down to Howyou're using a component or how

(54:16):
you're using a system or anapplication, uh, and, and that
would allow you to modify thebase score, right?
So the base score willcalculate.
Is the, is the vulnerabilitygoing to be impacted over a
network and does it requireauthentication and, or do you
have to trick a user into doingsomething, uh, for user
interaction, uh, and does itaffect confidentiality,

(54:37):
integrity, and availability inone or more systems?
The extended metrics, the threatenvironmental metrics, uh,
provide things like, well, do Icare about confidentiality in my
environment?
A tool doesn't necessarily knowthat right off the bat.
But you have, but what a humandoes and, and, or there's
something that can be providedto provide that information, um,

(54:58):
and that can give better scoreresults.
And that's how you should usethe calculator as a consumer.
And so whether you're, I guessthe call to action here is
whether you're an open source,uh, maintainer of a tool or even
a commercial vendor of a tool,it'd be nice to have this
information so you can get morerealistic scores.
And, and, and to Izar's point.

(55:19):
Not everything needs to be a 5.
0 bright red color or, uh, or,you know, sky is falling fix now
because, um, when you can getbetter and more accurate
outcomes.

So there's no room for Chicken Little in the world
of CVSS.

Matt Coles (55:35):
The CVSS will let you do that.
If you want, uh, I would argueyour, your vulnerability
management program thereshouldn't be room for that.

Hey, it's actually the other way around.
Sorry, Patrick.
I think that there's too muchspace for chicken little in the
CPSS world, because if youmisuse it, that's all you get.
Sorry, Patrick.

Yeah.
I was just going to mention thequestion on the, uh, you know,
open source stuff andcontributions.
I w I will say if you havethreat intelligence or, um,
exploitation data, I work on theEPSS SIG, like.
You know, we incorporate that inorder to build a machine
learning model, so if you haveany of that type of information,
we use like actively in nuclei,Metasploit, I think F5

(56:21):
contributes.
GrayNoise, Fortinet, Cisco, abunch of other vendors, um, so I
don't know, I think that kind ofhits on the question that was
asked earlier, um, regarding,you know, making contributions,
um, and, and I will say likethe, you know, EPSSIG for good
or bad is pretty, uh, loose inregards to like, there's a lot

(56:43):
of people in it.
Um, uh, so it's a good place tohang out, um, in regards to,
like, coordinating withdifferent people, uh, as it
relates to vulnerabilitymanagement standards, so you can
check that out too.

We're almost out of time, but I want to react to
this kind of last comment that Ijust saw pop in here, um, and
just see do we agree with thestatement that's been made here.
CVSS is shared responsibility.
Vendor provides a base score.
Consumer adjusts with threat andenvironmental based on their
specific use case.
It's not solely one or theother.
Do we agree with this statementas a, as a way to kind of wrap
up our CVSS conversation?

In a perfect world.

Matt Coles (57:22):
Generally, I agree.
And then I, in ourdocumentation, the documentation
for CVSS supports this.

I think that, um, I agree.
I think there's a middle person,which is the tooling and the
tooling is actually the core ofthe problem of CVSS today, um,
where the tooling is not takingany responsibility nor building
the capabilities to support, uh,CVSS functionality.
So like that, that's where Ithink the shared responsibility
is failing, um, uh, today thatwe're seeing, hopefully we see

(57:51):
that change with, uh, versionfour.

All right.
Well, uh, we're out of time herefor today's security table.
Thanks to everybody who joinedin and contributed, commented,
opinion, gave us opinions, askquestions.
Thanks Patrick, for joining usas a guest here as always, Matt
and Izar.
Thanks for being around thesecurity table.
We will catch everybody nextweek.

Thanks so

much.
Thanks Patrick.

All Episodes

Episode Transcript

Popular Podcasts

Dateline NBC

24/7 News: The Latest

Therapy Gecko

.css-15opob5{left:0;position:absolute;top:0.8rem;} All Episodes

.css-14f5ked{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:2;overflow:hidden;}CVSS 4.0 Unleashed with Patrick Garrity

Episode Transcript

Popular Podcasts

.css-r6mb8g{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:1;overflow:hidden;}Dateline NBC

24/7 News: The Latest

Therapy Gecko

All Episodes

CVSS 4.0 Unleashed with Patrick Garrity

Dateline NBC