Vulnerability scans are not the most efficient or effective method to detect software vulnerabilities in your digital ecosystem and prevent a cyber disaster from occurring, when a new software vulnerability is reported. Why?
Because vulnerability scans typically rely on a scanning tool that use a "YAML" signature file listing all known vulnerability "indicators" and it can take days or even weeks to update the signature file for these scanning tools before you can even begin to check for new vulnerabilities, leaving a wide open window to exposure and exploitation for days or even weeks. Even NERC CIP 010-4 recommends the outdated and inefficient "status quo" practice of vulnerability scanning "3. Vulnerability Scanning β Use of a vulnerability scanning tool to identify network accessible ports and services along with the identification of known vulnerabilities associated with services running on those ports." That is truly bad advice. No wonder the latest DOE report is so critical of vulnerability detection practices across the energy industry/DOE.
Tom Alrich wrote an article describing the many problems with NERC CIP, suggesting that NERC CIP-07 needs a rewrite to focus on vulnerability management. I agree 100%.
Also, many vulnerability scanners only check network ports for vulnerabilities, which misses many of the "Living off the Land" vulnerabilities used to gain root access, like this one that a fellow software engineer working at the same company discovered in ping in 1997 This vulnerability should be reported in a vendor provided Vulnerability Disclosure Report (VDR), preferably following NIST SP800-161r1 RA-5 standards.
Cyber insurers have also keyed into the high risk that CVE's represent and are now limiting payments when a breach occurs because of a known CVE (CISA KEV) which has not been mitigated or patched. Cyber-crime statistics for 2025 show a rise in cyber-crime related to software vulnerabilities, which parties didn't even know existed in their running products. Watch out for those cyber-icebergs, they can ruin your day. Show the cyber insurance providers that you apply best practices for "Cyber Risk Management" to detect vulnerabilities and rapidly close the window of opportunity that cyber criminals rely on, by following the approach outlined here and the guidance offered by NIST and CISA, https://cisa.gov/sag
AI methods have exacerbated the risk of exploitation with proof that a known CISA KEV can be exploited within 15 minutes, making the urgent need to respond to cyber vulnerabilities and close the window of opportunity ASAP a high priority.
There is a much more efficient and effective method available that can warn you of vulnerabilities and risk much quicker (in seconds) and more accurately, enabling you to take action, ASAP. Here is how it works:
1. A vulnerability is reported indicating the presence of a new, unreported software vulnerability, simultaneously product producers update their online, living Vulnerability Disclosure Reports (VDR) and Security Advisories (SA)
2. The CVE/proprietary vulnerability report acts as a trigger to immediately contact your software producers to check if the new vulnerability affects the product/version of software you are running, by downloading the UPDATED product NIST SBOM Vulnerability Disclosure Report (VDR) which provides real time product vulnerability status information (like a CARFAX report for software products and digital devices), directly from the only party that can tell you authoritatively if you are affected (product producer/manufacturer), and if so, the steps to take to prevent a cyber disaster. This method reduces the attackers window of opportunity from days to hours, minimizing risk exposure to software vulnerabilities in a digital ecosystem.
The application of VDR to rapidly check for product vulnerabilities was also discussed in this article aimed at improving supply chain risk management processes for the DoD. There is one big obstacle with VDR, most are created in proprietary formats that donβt follow NIST SP800-161r1 RA-5 standards which requires consumers to know and process each proprietary VDR format π. Here is an example of a CISCO proprietary VDR listing the CVEs reported for the IOS version 15.7(3)M3 product, one of the many proprietary VDR formats that currently exist. Here is an example proprietary VDR from Palo Alto Networks - note the difference in format and content with the Cisco proprietary VDR and the NIST VDR SP 800-161r1 RA-5 standard.
The SAG-PM software contains a VDRcheck action that performs this automatic download of the latest online product NIST VDR document to see if the new CVE is listed and that the VDR has been recently updated to include the time when the new CVE was reported.
What information does a NIST Vulnerability Disclosure Report provide about a reported vulnerability (CVE):
Here is an example of a proprietary vulnerability (not public no official CVE ID) in a VDR (a PDF version is available here):
Instead of waiting days for a vulnerability scanner to update and hours for a vulnerability scan to check for vulnerabilities you can find out your cyber-risks within seconds after a vulnerability is reported if your software products and devices are/are not affected by the new vulnerability, using VDR information provided directly from the product producer. The time savings from this approach can result in an immediate mitigation response to protect yourself from new vulnerabilities, shrinking the window of susceptibility for criminals to attack to minutes. This is the kind of rapid response we need to prevent cyber-crimes by minimizing the "window of opportunity for exploitation" reducing risk exposure to hours, not days or weeks.
This is how we shift from the cybersecurity "status quo" mindset to the more effective "Cyber Risk Management" methods and practices to protect a party from cyber-crimes.
Microsoft CoPilot provides a succinct summary of how SBOM and VDR are correlated:
