Tag: Vulnerability Disclosure

  • Advisory Archives 102 (why Mandriva hates VDBs)

    [This was originally posted on the OSVDB blog.] I recently made a post titled Mail List Archives 101 (or why SF hates VDBs) commenting about the restructure of the SecurityFocus mail list archive. In short, it’s a bad thing. Unfortunately for many people, especially vulnerability databases, this is happening more and more, on various sites.…

  • Vulnerability One Trick Pony?

    [This was originally published on the OSVDB blog.] I know the title of this may seem to be a slight on the researches I will use as examples, but that is not the case at all. Some people in the security community have a perception that some vulnerability researchers are so-called “one trick ponies“, meaning…

  • Mail List Archives 101 (or Why SF Hates VDBs)

    [This was originally published to the OSVDB blog.] Running a mail list archive is a straight forward task. Collect, organize and make mail list posts available via the web. You can see such archives at seclists.org or the Neohapsis arhive. Most folks that use archives like this have their favorites for various reasons. Speed, the…

  • Vulnerability Purchasing

    [This was originally published on the OSVDB blog.] Several years ago, iDefense started purchasing vulnerabilities from freelance researchers, and created its Vulnerability Contributor Program. Find a vulnerability, disclose it to iDefense under mutual NDA, and they would act as a mediator between you and the vendor for disclosure. After a patch was available, iDefense releases…

  • A Day in the Life of a Security Bulletin

    [This was originally published on the OSVDB blog.] A Day in the Life of a Security Bulletinhttp://blogs.technet.com/msrc/archive/2005/09/28/411635.aspx Hi all- Alexandra Huft here again! I thought you might find it interesting to see “behind the scenes” of how a security vulnerability eventually becomes a security bulletin. So, I’ll start way back at the beginning. We receive…

  • An Analysis of Reputational Risk

    [This was originally published on the OSVDB blog.] Kenneth Belva of Franklin Technologies United, Inc. announced a paper titled “How It’s Difficult to Ruin a Good Name: An Analysis of Reputational Risk”. The paper was delivered as the keynote address at the FiTech Summit 2005. In his announcement, he states “This paper should be regarded…

  • Vulnerability Classification Terminology

    [This was originally published on the OSVDB blog.] Local or remote, seems so simple when classifying a vulnerability. The last few years have really thrown this simple distinction for a loop. Think of a vulnerability that occurs when processing a file, such as a browser rendering a JPG or GIF, or a program like Adobe…

  • Scary Oracle Numbers

    [This was originally published on the OSVDB blog.] http://www.eweek.com/print_article2/0,1217,a=160368,00.asp On Security, Is Oracle the Next Microsoft?September 16, 2005By Paul F. Roberts While [Oracle CSO Mary Ann Davidson] acknowledges that some of the criticism from Litchfield and others is valid, outsiders aren’t privy to the 75 percent of product holes that Oracle discovers and fixes internally.…

  • .. and the debate keeps raging

    [This was originally published on the OSVDB blog.] ZDnet Asia had an article recentl, titled “Bug hunters, software firms in uneasy alliance” which brought up the age old full disclosure (or ‘responsible’ disclosure) debate. This prompted a slashdot thread with various comments. My favorite pop tart, Mary Ann Davidson (chief security officer at Oracle) managed…

  • Vuln Info Disclosure via Blogs

    [This was originally published on the OSVDB blog.] Recently, Juha-Matti Laurio questioned if there is a trend in releasing vulnerability information via blog entry. While he is right that we are seeing it a bit more frequently, I don’t think it is any different than the dozens of “hacker” or security message forums that consistently…