Welcome to Tripwire Patch Madness!

Comprised of 26 vulnerabilities divided into two conferences and four divisions, the goal of this tournament is to declare which named vulnerability is king of Patch Madness! The original list of named vulnerabilities was taken from Hanno Böck’s named vulnerabilities repo. Any entries that did not have published CVSSv2 scores were dropped (not enough of the entries had CVSSv3 scores) and the list was topped up with other named vulnerabilities to give us a total of 13 vulnerabilities per conference.

Over the years named vulnerabilities have been used to draw attention to critical issues and as a cry for attention from those that discovered them. In many cases, the criticality of the issue warrants the name, an easy to reference identifier for those that don’t enjoy keeping CVEs in their heads. There have been times though when those that discovered a vulnerability simply wanted attention. For that reason, each division, containing either 6 or 7 named vulnerabilities, has been seeded using each vulnerability’s CVSSv2 score.

The rules:

1. Each conference is comprised of 13 teams.
2. Teams were randomly assigned conferences and divisions.
3. Each conference consists of a 7-team division and a 6-team division.
4. Each division was seeded using CVSSv2 base scores.
5. Byes
   a. Within the 6-team division, the highest seeded team receives a bye in the second round.
   b. Within the 7-team division, the highest seeded team receives a bye in the first round.

While we’re not ready to reveal just how we’ve determined the winning vulnerability in each round of the tournament, we invite you to play along and tweet your thoughts on the winners using #PatchMadness.

Feel free to take the initial bracket release and complete it fully, sharing your thoughts on the outcome of the tournament.