惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

博客园_首页
F
Full Disclosure
Martin Fowler
Martin Fowler
The GitHub Blog
The GitHub Blog
L
LangChain Blog
T
The Blog of Author Tim Ferriss
D
DataBreaches.Net
GbyAI
GbyAI
Y
Y Combinator Blog
博客园 - Franky
WordPress大学
WordPress大学
Apple Machine Learning Research
Apple Machine Learning Research
A
About on SuperTechFans
Blog — PlanetScale
Blog — PlanetScale
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
G
Google Developers Blog
罗磊的独立博客
Hugging Face - Blog
Hugging Face - Blog
博客园 - 三生石上(FineUI控件)
IT之家
IT之家
Jina AI
Jina AI
N
Netflix TechBlog - Medium
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
Recent Announcements
Recent Announcements
酷 壳 – CoolShell
酷 壳 – CoolShell
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
博客园 - 聂微东
腾讯CDC
H
Help Net Security
H
Heimdal Security Blog
J
Java Code Geeks
C
CXSECURITY Database RSS Feed - CXSecurity.com
T
The Exploit Database - CXSecurity.com
The Register - Security
The Register - Security
大猫的无限游戏
大猫的无限游戏
T
Threatpost
B
Blog RSS Feed
T
Threat Research - Cisco Blogs
Microsoft Security Blog
Microsoft Security Blog
S
Securelist
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
B
Blog
量子位
AWS News Blog
AWS News Blog
Project Zero
Project Zero
P
Proofpoint News Feed
Cisco Talos Blog
Cisco Talos Blog
Spread Privacy
Spread Privacy
S
Schneier on Security

Forbes - Innovation

Why Do Humans Have Fingerprints? Hint: It’s Not What You Think Booking.com Confirms Data Breach, Reservation PIN Codes Changed Why Major News Sites Are Blocking The Internet Archive’s Wayback Machine iPhone Fold Release Date: New Report Details Frustrating Apple News Comet Tracker: How To See Pan-STARRS And Three Planets On Wednesday NYT Mini Crossword Today: Tuesday, April 14 Hints And Answers Today’s NYT Strands Hints, Spangram, Answers: Tuesday, April 14 (It’s A Little Unclear) Today’s Wordle #1760 Hints And Answer For Tuesday, April 14 Most Of The Microplastics In Urban Air Come From Tires Today’s Wordle #1759 Hints And Answer For Monday, April 13 NYT Mini Crossword Today: Monday, April 13 Hints And Answers NYT Pips Today: Hints, Answers And Walkthrough For Monday, April 13 The YC Chief Who Codes 10,000 Lines A Day Has A Simple Secret Samsung Expands One UI 8.5 Beta To More Galaxy Owners Why You Should Stop Using Your iPhone If It’s On This List Chamath Says Firms That Treat AI As A Strategy Hand Rivals Their Edge 3 Unexpected Habits Of Secure Couples, By A Psychologist The First Lamp That Folds Your Clothes Samsung’s Disappointing Price Update For Galaxy Phone Buyers 3 Subtle Signs Someone Is Falling In Love With You, By A Psychologist Do Mantis Shrimp See More Colors Than Humans? A Biologist Explains NYT Connections Answers Explained For Monday, April 13 (#1,037) NYT Connections Hints Today: Monday, April 13 Clues And Answers (#1,037) LEGO Luigi & Mach 8 (72050) Review: 2026’s Best Set Yet? Marc Andreessen Says AI Productivity Will Trigger A Hiring Boom 3D Printing Is The Ultimate Hack To Reduce Household Spending Apple iPhone Fold: Striking Design Revealed In Leaked Photos Apple Smart Glasses: New Leak Reveals A Major Design Twist To Beat Meta Tested: The AI Coming To The Rivian R2 Quordle Hints Today: Monday, April 13 Clues And Answers Companies And H-1B Employees Endure Immigration Waits At Consulates 3 Easy Ways To Turn Anxiety Into Sustained Focus, By A Psychologist Here’s The Most Affordable Humanoid Robot You Can Buy Now UFC 327 Results: 5 Biggest Takeaways From A Wild Night In Miami UFC 327 Results, Bonus Winners, Highlights And Reactions Dana White Announces Huge New Fight For UFC White House Today’s NYT Strands Hints, Spangram, Answers: Sunday, April 12 (Get Ready) Tesla ‘Model 2’ Rises From The Ashes Today’s Wordle #1758 Hints And Answer For Sunday, April 12 NYT Pips Today: Hints, Answers And Walkthrough For Sunday, April 12 Tyson Fury Vs. Arslanbek Mahkmudov Results: Highlights and Reaction NYT Mini Crossword Today: Sunday, April 12 Hints And Answers How Shadow AI Culture Is Destroying Your Business Venture Capital Funds That Market Like Startups Win More Deals Conor Benn Vs. Regis Prograis Results: Highlights and Reaction Samsung’s Disappointing Price Update For Galaxy Phone Buyers Artemis Reached The Moon. The Grid Can Reach The 21st Century A Biologist Explains How Archerfish Shoot Down Prey. Hint: Their Aim Rivals Human Throwing Is It Time For Apple To Forget About The MacBook Air NYT Connections Hints Today: Sunday, April 12 Clues And Answers (#1036) Trump’s 2027 Budget To Reshape U.S. Environmental And Energy Policy CDC Delays Reporting Of COVID-19 Vaccine Benefits—Here’s What To Know Oura Has Designed A Solution To A Big Smart Ring Problem Netflix’s Best New Show Has A Near-Perfect 95% Rotten Tomatoes Score Coachella 2026 Is Being Taken Over By Creator Streams Quordle Hints Today: Sunday, April 12 Clues And Answers This Startup Wants To Use AI To Help Digitize History How To Get The Best Shield In ‘Crimson Desert’ Microsoft Venom Attack Targets C-Suite Executives ‘Maul: Shadow Lord’ Sets Even More Star Wars Rotten Tomatoes Records 3 Ways Happy Couples Argue Differently, By A Psychologist Success For Leapmotor Might Have Negatives For Stellantis New Names Surface As Potential Rogue And Wonder Woman In The MCU And DCU 4 Reasons Artemis Mission Matters Even If You Think It Is Wasteful Fast ‘Crimson Desert’ Patch Adds New Moves, Shield Hiding And One Great Feature Why Do Humans Blush? An Evolutionary Biologist Explains The Signal We Can’t Control Apple iPhone Fold: Striking Design Revealed In Leaked Photos Adobe Attacks Underway—Windows And Mac Users Given 72 Hours To Update iOS 26.4.1 Release: Crucial iPhone Feature Update Arrives, But No Security Fix Fury vs. Makhmudov Full Card, Ring Walk Times and How to Watch Can’t Stand Liquid Glass? This New Hidden iPhone Setting Is A Game-Changer Test-Driving The 2026 Changan Deepal S05: Italian Style Made In China NSA Warning—Reboot Your Internet Router Now Ways That Human-AI Collaboration Slides People Into ‘AI Brain Fry’ And Cognitive Downturns Stop Using These Networks—Google, NSA And TSA Warn NASA Changes Moon Plan: Landing Now Depends On SpaceX Or Blue Origin Samsung Expands One UI 8.5 Beta To More Galaxy Owners The Evolution Of Programmable Hardware At Xilinx NYT Mini Today: Saturday, April 11 Hints And Answers Today’s NYT Strands Hints, Spangram, Answers: Saturday, April 11 (You’re Putting Me On) Splashdown! NASA’s Artemis II Returns To Earth After Moon Mission Attention Is All You Need. The Human Kind Is Still The One That Counts Today’s Wordle #1757 Hints And Answer For Saturday, April 11 NYT Pips Today: Hints, Answers And Walkthrough For Saturday, April 11 Android Circuit: Galaxy S27 Pro Emerges, Honor 600 Pre-Order Offers, Pixel 11 Display Leaks Apple Loop: iPhone 18 Pro Leak, Urgent iOS Update, MacBook Neo Issues Morgan Stanley Has Mostly Positive Outlook On Tesla Robotaxi, FSD V15 Running Out Of AI Tokens Faster Than Ever? Here’s Why CoreWeave Shares Pop 13% After Anthropic Deal ‘Euphoria’ Season 3’s Rotten Tomatoes Score Crashes, Has Lost Key Player People Don’t Agree On What AI Can Do, But They Don’t Even Use The Same Product ‘Overwhelming’—Google Issues Gemini Update For Gmail Users NYT Connections Hints Today: Saturday, April 11 Clues And Answers (#1035) Quordle Hints Today: Saturday, April 11 Clues And Answers The Costly Dream Of Space-Based AI Infrastructure Can You See The Watcher In This ‘Daredevil: Born Again’ Shot? Adobe Attacks Underway—Windows And Mac Users Given 72 Hours To Update You Just Watched The Backdoor Pilot For ‘The Pitt: Night Shift’ Are Nicotine Pouches Like Zyn And VELO Safe To Use? A Doctor Answers Human Resources (HR) Is The Key To AI Success Per WalkMe ( SAP)
Stop Counting Vulnerabilities. Start Proving Risk
Yonesy Nunez · 2026-06-01 · via Forbes - Innovation

Dr. Yonesy F. Núñez is the CISO of Surf AI and a six-time CISO across financial services, fintech, and agentic AI.

getty

​For two decades, enterprise cybersecurity has run on a simple loop. Find the flaw. Name the flaw. Score the flaw. Fix the flaw. That loop is breaking, and most companies do not yet know it.

Earlier this year, NIST formally acknowledged that the National Vulnerability Database can no longer keep pace with new submissions. Tens of thousands of CVEs are being moved to a “Not Scheduled” category. The pre-March 2026 backlog has been effectively abandoned. The agency is now triaging only what the CISA Known Exploited Vulnerabilities catalog flags, what federal software requires and what Executive Order 14028 designates as critical.

For most organizations, that is not a footnote. It is the foundation. NVD enrichment feeds vendor scanners, the dashboards built on those scanners, the audit reports built on those dashboards and the executive narratives built on top of those audit reports. When the foundation cannot scale, every layer above it inherits the gap.

This is happening at the same moment AI is industrializing vulnerability discovery. Frontier models have already validated hundreds of high-severity zero-days in production open-source code, including a Linux kernel bug that had been sitting unnoticed since 2003. Autonomous systems are topping bug bounty leaderboards. Research estimates that AI vulnerability research capability is doubling every four months.

Discovery is no longer the constraint. Remediation is. And the gap between what we can find and what we can fix is widening every quarter.

The Economics Were Broken Before AI

Even before AI accelerated discovery, the vulnerability management market was structured around the wrong incentive. Vendors get paid to reveal problems. Enterprises pay to fix them. That asymmetry built an industry that rewards visibility and tolerates backlog.

Inside large organizations, the result is familiar to every CISO. Security teams present thousands of critical and high findings. Engineering leaders push back, citing legacy systems, testing windows and operational risk. Executives see red dashboards but rarely see a clean business case for what to fund first. The backlog becomes permanent. It gets reported as a control gap. It is actually a scaling failure.

That failure was tolerable when discovery moved at human pace. It is not tolerable now.

Severity Is Not Risk

The deeper issue is conceptual. CVSS, the scoring system used to rate the severity of vulnerabilities, was never designed to be a business priority model. A high CVSS score on an isolated internal system can be less urgent than a medium score on an internet-facing system tied to customer identity, payments or regulated data.

Real risk depends on context. Is the system exposed? Is the vulnerability actually exploitable in our environment? Is the asset material to the business? Are existing controls already blocking the attack path? Are adversaries using this technique today?

The current model flattens that context into colored cells on a dashboard. It creates urgency. It does not create an investment plan.

The Conversation That Needs To Change

After six CISO seats across financial services, fintech and now agentic AI, the question that matters has not changed. It has just been asked the wrong way.

We keep asking how many criticals we have. The right question is how much material exposure we can prove, and how much a defined investment would remove.

An honest conversation about software risk should sound like this. We have identified 12 verified exploit paths into systems that touch regulated data or core revenue. Six of those involve vulnerabilities on the CISA Known Exploited list. Four affect systems carrying customer identity. A defined investment of X over Y quarters eliminates eight of them and reduces residual exposure on the remaining four to a level the business has consciously chosen to accept.

That is not a dashboard. That is a decision.

It also forces a more honest internal conversation about what cannot be remediated, which compensating controls actually hold up under attacker pressure, and what residual risk the enterprise is choosing to retain. Regulators are moving in this direction. Companies should get there first.

The New Model

Three shifts will define the next generation of vulnerability management.

First, exploitation-weighted prioritization replaces CVSS-driven prioritization. Known exploitation telemetry, EPSS, runtime reachability and asset materiality become the primary inputs. CVSS becomes a vocabulary, not a priority order.

Second, the unit of measurement changes. Not findings opened or closed, but verified exposure paths reduced. Every quarter, every executive briefing, every regulatory submission should answer the same question. Did material exposure go down or up.

Third, supply chain compromise gets its own seat at the table. The biggest open-source incidents of the past year did not exploit code vulnerabilities. They compromised maintainer credentials, package publishing tokens and CI/CD trust workflows. That is a governance and identity problem, not a CVE problem, and the controls live in an entirely different operating model.

The Takeaway

The old vulnerability system was a real achievement. It gave the industry a common vocabulary for software flaws and turned hidden weaknesses into public knowledge. But public knowledge is no longer enough. The system now finds vulnerabilities faster than anyone can enrich them, contextualize them, rank them or fix them.

The old model counted problems. The new model proves which problems matter, funds the work to retire them and tells leadership honestly what residual risk is being accepted in return.

That is the conversation the next decade of cybersecurity will be measured by. The companies that get there first will set the standard. The ones still managing to a colored dashboard will be answering for it.


Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?