Tag: OSVDB

  • Mail List Archives 101 (or Why SF Hates VDBs)

    [This was originally published to the OSVDB blog.] Running a mail list archive is a straight forward task. Collect, organize and make mail list posts available via the web. You can see such archives at seclists.org or the Neohapsis arhive. Most folks that use archives like this have their favorites for various reasons. Speed, the…

  • Vulnerability Purchasing

    [This was originally published on the OSVDB blog.] Several years ago, iDefense started purchasing vulnerabilities from freelance researchers, and created its Vulnerability Contributor Program. Find a vulnerability, disclose it to iDefense under mutual NDA, and they would act as a mediator between you and the vendor for disclosure. After a patch was available, iDefense releases…

  • Vendors Hate VDBs

    [This was originally published on the OSVDB blog.] I’ve spent the last few hours working on the OSVDB database, specifically working on making sure that we had entries that correspond with two vendors and their security issues. After an hour or two of digging through the Hitachi advisories, I questioned why we only had ~…

  • Vendor Protection Rackets

    [This was originally published on the OSVDB blog.] I had planned on writing about this weeks ago but got swamped with that pesky day job along with the steady stream of new vulnerabilities released daily. That steady stream that absolutely will not get better with vendors taking a new approach to dealing with them. Fortunately…

  • A Day in the Life of a Security Bulletin

    [This was originally published on the OSVDB blog.] A Day in the Life of a Security Bulletinhttp://blogs.technet.com/msrc/archive/2005/09/28/411635.aspx Hi all- Alexandra Huft here again! I thought you might find it interesting to see “behind the scenes” of how a security vulnerability eventually becomes a security bulletin. So, I’ll start way back at the beginning. We receive…

  • An Analysis of Reputational Risk

    [This was originally published on the OSVDB blog.] Kenneth Belva of Franklin Technologies United, Inc. announced a paper titled “How It’s Difficult to Ruin a Good Name: An Analysis of Reputational Risk”. The paper was delivered as the keynote address at the FiTech Summit 2005. In his announcement, he states “This paper should be regarded…

  • MusicPlasma for Vulnerabilities

    [This was originally published on the OSVDB blog.] A couple years back, I ran across musicplasma. For those not familiar with the engine, it allows you to type in your favorite music artist/band, and see “related” artists. So I type in “portishead” (mmmm) and see related bands like Tricky, and Sneakerpimps. These are all considered…

  • “OSS means slower patches” – huh?!

    [This was originally posted on the OSVDB blog.] http://australianit.news.com.au/articles/0,7204[..].htmlOSS means slower patchesChris JenkinsSEPTEMBER 19, 2005 This was posted to Full-Disclosure where I first replied, and ISN picked up. Articles like this do nothing positive for our industry. Jenkins should not waste his time writing fluff pieces like this, and he should do some digging or…

  • Scary Oracle Numbers

    [This was originally published on the OSVDB blog.] http://www.eweek.com/print_article2/0,1217,a=160368,00.asp On Security, Is Oracle the Next Microsoft?September 16, 2005By Paul F. Roberts While [Oracle CSO Mary Ann Davidson] acknowledges that some of the criticism from Litchfield and others is valid, outsiders aren’t privy to the 75 percent of product holes that Oracle discovers and fixes internally.…

  • .. and the debate keeps raging

    [This was originally published on the OSVDB blog.] ZDnet Asia had an article recentl, titled “Bug hunters, software firms in uneasy alliance” which brought up the age old full disclosure (or ‘responsible’ disclosure) debate. This prompted a slashdot thread with various comments. My favorite pop tart, Mary Ann Davidson (chief security officer at Oracle) managed…