[breadchris]

Until three years ago, the last time I touched javascript was when jquery was all the rage. I had been a security engineer for my whole career, but recently ive been building a security product (with js, obviously) and it has been blowing my mind the state of everything.

Most security products are just lighter fluid on the tire fire that is "vulnerability management" and has gotten to the point (as the post pointed out) where reports are doing more harm than good.

I had seen something like this coming since when I was starting out in security the meritocracy surrounding collecting CVEs was very real for vuln researchers. It isn't their fault, it is just really difficult to prove your worth as someone who is seen as a cost center to a company. Additionally, if you don't actually find a vulnerability, are you a bad security researcher? Is the app actually secure? There is a lot that is left on the table if you can't get that CVE number and proving your worth to the security community becomes challenging.

My company and I are all security experts spending all of our time figuring out how to flip the script on current reporting and response practices. If you (vjeux) or anyone else have any thoughts, ideas, or rants you would like to share, we have a discord https://discord.gg/awx66qBW but if you aren't about it, you could shoot me an email: chris@lunasec.io.

Would love to hear about your war stories from the trenches!