Tag: OSVDB

  • DHS & Your Tax Dollars

    [This was originally published on the OSVDB blog.] Full Article Through its Science and Technology Directorate, the department has given $1.24 million in funding to Stanford University, Coverity and Symantec to hunt for security bugs in open-source software and to improve Coverity’s commercial tool for source code analysis, representatives for the three grant recipients told…

  • A Word on Solutions (Use Another Product)

    [This was originally published on the OSVDB blog.] Something lead you to the product that ended up on your systems. Be it a feature, a look, ease of use, or price, it was a driving force in your decision. Changing to a different product isn’t easily done, especially if your current solution is heavily integrated…

  • The Purpose of Tracking Numbers.. (HP)

    [This was originally published on the OSVDB blog.] In the context of advisories, it’s simple, to help track documents and avoid confusion. Much the same reason a vulnerability database assigns a unique number to an issue. If there is confusion when discussing a vulnerability, you reference the unique ID and ideally, confusion goes away. That…

  • An Open Letter on the Interpretation of “Vulnerability Statistics”

    [This was originally published on the OSVDB blog.] Steve Christey (CVE Editor) wrote an open letter to several mailing lists regarding the nature of vulnerability statistics. What he said is spot on, and most of what I would have pointed out had my previous rant been more broad, and not a direct attack on a…

  • US-CERT: A Disgrace to Vulnerability Statistics

    [This was originally published on the OSVDB blog.] Several people have asked OSVDB about their thoughts on the recent US-CERT Cyber Security Bulletin 2005 Summary. Producing vulnerability statistics is trivial to do. All it takes is your favorite data set, a few queries, and off you go. Producing meaningful and useful vulnerability statistics is a…

  • The Oldest Vulnerability Contest

    [This was originally published on the OSVDB blog.] What is the oldest documented vulnerability? As far as OSVDB is aware, it’s a tie between UNIX-V6 su File Descriptor Exhaustion Local Privilege Escalation and Sendmail Unspecified Multiple Security Issues (yes, we’d love to know the details of the Sendmail issues back then!). These were documented on…

  • A Word on Solutions (Edit Source Code)

    [This was originally published on the OSVDB blog.] Often times you will see a VDB or researcher disclosure offer the solution “Edit the source code to ensure that input is properly sanitised.” I’ve never been fond of this for several reasons. First and probably the most obvious, duh? If I proclaim “send food to the…

  • PHP-CHECKER

    [This was originally posted to the OSVDB blog.] Yichen Xie and other Stanford researchers posted to bugtraq announcing “99 potential security vulnerabilities”, all SQL injections. Five issues/comments/questions come to mind: 1. This sounds impressive, but even by OSVDB’s level of abstraction (significantly higher than other VDBs), this is far from 99 vulnerabilities. Looking at the…

  • OSVDB is Closing

    [This was originally published on the OSVDB blog.] OK, OSVDB is not really closing. But based on my experience with running and participating in projects and sites, the second you announce a valuable resource is going away, people come out of the woodwork to volunteer or support the project to keep it going. When the…

  • Unresponsive Vendors (and a Bit of Irony)

    [This was originally published on the OSVDB blog.] Late yesterday, Jaime Blasco posted to Bugtraq looking for a security contact at 3com to further attempt to disclose a vulnerability in one of their products responsibly. Such posts are not uncommon these days, and one of the driving forces behind the OSVDB Vendor Dictionary. For vendors…