blog

newsletterblog
blogblog
Affected Functions: A Key to Understanding Open-Source Vulnerabilities

Affected Functions: A Key to Understanding Open-Source Vulnerabilities

Explore the public availability of affected functions for OSS vulnerabilities and why vendors are spending millions to build private datasets.

Kyle Kelly
blogblog
Stop Detecting, Start Fixing: Dependency Upgrades as the Real Solution

Stop Detecting, Start Fixing: Dependency Upgrades as the Real Solution

Dependency upgrades are the simplest, most effective way to mitigate risks—so why aren’t they the priority?

Kyle Kelly
blogblog
Are Automated PRs Closing the Gap in Dependency Updates?

Are Automated PRs Closing the Gap in Dependency Updates?

A look at the real-world impact of automated dependency upgrades via tools like Dependabot and Renovate on modern open-source projects

Kyle Kelly
blogblog
Stop F@#!ing (Forking) Your Dependencies

Stop F@#!ing (Forking) Your Dependencies

98% of PyMySQL forks are vulnerable to SQL Injection

Kyle Kelly
blogblog
Beyond the CVE: Analyzing the Depth of GitHub Security Advisories

Beyond the CVE: Analyzing the Depth of GitHub Security Advisories

Understanding the GitHub Security Advisory Database: A Must-Know for Open-Source Developers and Consumers

Kyle Kelly
blogblog
Dirty Little Secrets of Vulnerability Management

Dirty Little Secrets of Vulnerability Management

Exposing Common Misconceptions about CVEs, NVD, KEV Catalog, and EPSS

Kyle Kelly
blogblog
Why I Signed: An Open Letter to Congress on the National Vulnerability Database

Why I Signed: An Open Letter to Congress on the National Vulnerability Database

Neglecting the National Vulnerability Database: A Flaw We Can't Afford

Kyle Kelly
blogblog
From Penetration Testing to Security Research and Beyond

From Penetration Testing to Security Research and Beyond

Recognizing My Dream for Perpetual Learning

Kyle Kelly
blogblog
Vulnerability Databases: Is China's CNNVD Superior to the US NVD?

Vulnerability Databases: Is China's CNNVD Superior to the US NVD?

A global overview of vulnerability databases and disclosure practices

Kyle Kelly
blogblog
The Bug Bounty Gold Mine: AI/ML third-party packages

The Bug Bounty Gold Mine: AI/ML third-party packages

The AI race has created a cesspool of third-party packages

Kyle Kelly
blogblog
Software Bill of Materials (SBOM): The Gateway Drug to Supply Chain Security

Software Bill of Materials (SBOM): The Gateway Drug to Supply Chain Security

Hey, do you know about supply chain security? ... You mean SBOMs?

Kyle Kelly
blogblog
Getting Infinite CVEs via Software Supply Chain Security

Getting Infinite CVEs via Software Supply Chain Security

This one is for you CVE hype beasts looking to fill your resume 😉

Kyle Kelly