Tag: Vulnerability Disclosure

  • Zero Day Vulnerabilities – Sell Your Soul?

    [This was originally published on the OSVDB blog.] There have been several Vulnerability Sharing Clubs (VSC) in the past including iDefense, Immunity and others. For those who question this business model, consider Verisign just purchased iDefense for US $40 million. Still not a believer? Consider 3Com/TippingPoint is now offering a new VSC called the Zero…

  • Days of Risk

    [This was originally published on the OSVDB blog.] The last few months have seen a lot more talk about the “Days of Risk”. In short, vendors like Microsoft say the days of risk are the time between vulnerability information (or an exploit) being released and a system being patched. So if a new vulnerability is…

  • Disclosure: Greymatter Remote login/pass Disclosure

    [This was originally disclosed on the Bugtraq mail list and touched up slightly for style and mirrored on attrition.org. VulnDB 4081, CVE-2002-0324.] Software: Greymatter 1.21c and earlierVulnerability: Remote administrator login/password exposureVendor Status: Notified [0] I originally saw this posted on Metafilter [1] and linked to a two line description [2]. As with many other attacks,…

  • Microsoft’s Responsible Vulnerability Disclosure, The New Non-Issue

    [This was originally published on attrition.org] For almost a decade, a debate over the concept of Full Disclosure has reared its ugly head. Carried out on BBSs, newsgroups, security conferences, mail lists, parties, coffee shops and everywhere else, the Full Disclosure debate can be called “long standing” to say the least. As with everything in the computer…

  • Cashing in on Vaporware

    “The CERT Coordination Center is a center of Internet security expertise“, and they have a new product to sell you. Only it isn’t really new – and it was never a stellar product to begin with. For years, CERT has been a federally funded group handling incident response, vulnerability analysis and published security alerts. They…

  • Full Disclosure – Effective or Excuse?

    [This was originally published on attrition.org.] A comprehensive look at the practice of Full Disclosure, problems associated with it for vendors and security companies, and examples of full disclosure put to the test. (3300 words) The world of computer security has developed a wicked game of politically correct ‘cat and mouse’. This game is played…