Tag: OSVDB

  • Matousec’s Vulnerability Value

    [This was originally published on the OSVDB blog.] Since the debate about pay-for-disclosure started, some folks have wondered what vulnerabilities are worth. We’ve seen companies like Verisign/iDefense and Tipping Point/ZDI offer serious money for vulnerabilities in the past. Adding to the mix, matousec.com has published a purchase page with prices of some of their vulnerability…

  • Vendor Disclosure Process

    [This was originally published on the OSVDB blog.] Ever wondered what some of the bigger vendors do in response to vulnerability Disclosure? Federico Biancuzzi has written an article on his Disclosure survey which may answer the question for you. Apple, Computer Associates, Google, IBM, Microsoft, Novell, Oracle, Red Hat, SAP, Sun Microsystems and Yahoo all…

  • Numb3rs

    [This was originally published on the OSVDB blog.] I’ve been with the OSVDB project for 1000 days. I am responsible for creating 20,667 entries, moderating 7,791 mangler submissions, and mangling 3,480 vulnerabilities myself. The database contains vulnerabilities dating back to 1965, spanning over 40 years. The database contains over 3,800 cross-site scripting, 2,500 SQL injection…

  • Rare case where being unprofessional is justified?

    [This was originally published on the OSVDB blog.] I think I may have found it. Claus Assmann (no no, too easy) of sendmail.org recently said some words to the CVE team regarding a recent Sendmail DoS. Look at the words and think about it: BTW: it would be nice if your process of creating a…

  • Vulnerability Research In Numbers

    [This was originally published on the OSVDB blog.] I’m so far behind in my daily routine and missed Thomas Ptacek’s post on Vuln Research In Numbers. Fortunately, Dave Aitel referenced the blog entry which prompted me to check it out. I so desperately want Ptacek to run his numbers against a complete OSVDB data set,…

  • Wanna Date?

    [This was originally published on the OSVDB blog.] No, this isn’t some odd contest with a disappointing reward. Date an OSVDB moderator! *shudder* Think of dates in the context of vulnerability disclosure. Think of how many dates we don’t know, even in the more formal advisories (some with time lines even). OSVDB currently tracks three…

  • Vulnerability Research Food Chain

    [This was originally published on the OSVDB blog.] I’ve mentioned the sociology aspect of the hacker, vuln researcher and security companies before, specifically how they interact, how one will influence another and more. The list of fun ideas I have on these topics is great, and maybe some day i’ll find the time to write…

  • No Exception for Symantec

    [This was originally published on the OSVDB blog.] Symantec posted a message to Bugtraq earlier this month announcing the availability of a new advisory. The advisory presumably covers a vulnerability or issue in Symantec On-Demand Protection. If you are reading this blog entry a year from now, that is all you may find on it.…

  • Oldest Vulnerability Contest – Winner

    [This was originally published on the OSVDB blog.] On December 20, 2005, I posted a contest looking for the oldest documented vulnerability. This generated a lot of interest and was posted to the FunSec Mail List which generated even more interest and information. It also lead to me spending more time digging through my own…

  • DEF CON/BlackHat Thoughts

    [This was originally published on the OSVDB blog.] I keep telling myself, “keep it short!” since writing about a week in Las Vegas tends to be wordy. No promises! Some 3000 people apparently showed for BlackHat briefings and it showed. Despite that much money coming in and the amount of warning Caesars/BH had before the…