Tag: OSVDB

  • Vuln Info Disclosure via Blogs

    [This was originally published on the OSVDB blog.] Recently, Juha-Matti Laurio questioned if there is a trend in releasing vulnerability information via blog entry. While he is right that we are seeing it a bit more frequently, I don’t think it is any different than the dozens of “hacker” or security message forums that consistently…

  • Vulnerabilities becoming more mainstream?

    [This was originally published on the OSVDB blog.] Before 2005, it was fairly rare to see a news article specifically covering a vulnerability. They would usually pop up if a vuln was used in a mass compromise, the basis of a worm propagating, or affected large vendors such as Microsoft and Oracle. This year however,…

  • If a tree falls in the woods…

    [This was originally published on the OSVDB blog.] If a researcher discloses a vulnerability only to VDBs, and some/all of them publish the information, was the vulnerability really disclosed? Yes, of course, but should it have been? Are VDBs responsible for the information? Does it fall on us to check every thing we get and…

  • Fiasco: BlackHat, Cisco, ISS, Lynn

    [This was originally published on the OSVDB blog.] There are far too many articles covering this topic to justify me rewriting the story in my own words. So in summary, relevant links with background. End up with Schneier’s commentary for a good summary and additional links. BlackHat Briefings: Cisco IOS Security Architecture by Michael Lynnhttp://www.blackhat.com/html/bh-usa-05/bh-usa-05-schedule.html…

  • OSVDB at DEF CON 13

    [This was originally published on the OSVDB blog.] Several project leaders and OSVDB volunteers will be attending DEF CON 13 later this week. If you would like to meet up, hang out, ask questions or pledge time (booze?!), feel free to track us down. Odds are we will be around the Alexis Park pool during…

  • Zero Day Vulnerabilities – Sell Your Soul?

    [This was originally published on the OSVDB blog.] There have been several Vulnerability Sharing Clubs (VSC) in the past including iDefense, Immunity and others. For those who question this business model, consider Verisign just purchased iDefense for US $40 million. Still not a believer? Consider 3Com/TippingPoint is now offering a new VSC called the Zero…

  • Vuln info from public sources and VDB ‘rules’?

    [This was originally published on the OSVDB blog.] This has come up in the past, and again more recently. Is information found on a vendor website, such as a changelog or bugzilla entry, fair game for inclusion in a vulnerability database? Some vendors seem to think this material is off limits. If a person keeps…

  • Classification Headache: Remote vs Local

    [This was originally published on the OSVDB blog.] http://archives.neohapsis.com/archives/bugtraq/2005-07/0238.html From: Derek Martin (code[at]pizzashack.org)Date: Thu Jul 14 2005 – 21:39:30 CDT The issue has come up on bugtraq before, but I think it is worth raising it again. The question is how to classify attacks against users’ client programs which come from the Internet, e.g. an…

  • ICAT > NVD

    [This was originally published on the OSVDB blog.] Someone brought this to my attention: http://nvd.nist.gov/National Vulnerability Database Welcome to NVD!!NVD is a comprehensive cyber security vulnerability database that integrates all publicly available U.S. Government vulnerability resources and provides references to industry resources. It is based on the CVE vulnerability naming standard. NVD contains:11708 Vulnerabilities482 US-CERT…

  • Why Vulnerability Databases Can’t Do Everything

    [This was originally published on the OSVDB blog.] https://seclists.org/fulldisclosure/2005/Jul/292 From: Steven M. Christey (coley[at]mitre.org)Date: Fri Jul 15 2005 – 13:35:52 CDT Vulnerability databases and notification services have to pore through approximately 100 new public vulnerability reports a week. Correction: that’s HUNDREDS of reports, from diverse and often unproven sources, for about 100 unique vulnerabilities per…