Vulnerability scanning — a decade ago it was a novel and indispensible tool for discovering any vulnerabilities in your fleet. Today, more often than not, these scanners are seen as a necessary evil and more a source of aggravation than actually beneficial. According to CVE.org, in 2015 there were under 6500 CVEs assigned. In 2024 that number was over 40000, a 515% increase in under ten years. With the proliferation of containers, a single CVE can “affect” one entity once or tens of thousands of times. Given the volume and ever-growing compute landscape, are vulnerability scanners still our best path …

This episode was originally planned as a recap of VulnCon 2025, but recent events around the CVE program took center stage. On April 15, 2025, news broke that funding for CVE was being cut — only to be restored by CISA within 24 hours. In that short window, speculation and FUD (fear, uncertainty, and doubt) spread quickly, along with a flurry of new initiatives aiming to respond.

It’s always interesting to hear from customers what concerns them. It helps us learn, it helps us be better, and sometimes it’s just downright boggling. Join me as I dive into a dissection of the super scary, critical vulnerability (as per NVD, anyways) CVSS 9.8 vulnerability in objdump: CVE-2018-12699. The customer’s security team that was so concerned because it showed up on a vulnerability scan and they needed it fixed. Did NVD get this right? Was the customer right to worry? Let’s look at the real risk.