This episode was originally planned as a recap of VulnCon 2025, but recent events around the CVE program took center stage. On April 15, 2025, news broke that funding for CVE was being cut — only to be restored by CISA within 24 hours. In that short window, speculation and FUD (fear, uncertainty, and doubt) spread quickly, along with a flurry of new initiatives aiming to respond.

It’s always interesting to hear from customers what concerns them. It helps us learn, it helps us be better, and sometimes it’s just downright boggling. Join me as I dive into a dissection of the super scary, critical vulnerability (as per NVD, anyways) CVSS 9.8 vulnerability in objdump: CVE-2018-12699. The customer’s security team that was so concerned because it showed up on a vulnerability scan and they needed it fixed. Did NVD get this right? Was the customer right to worry? Let’s look at the real risk.