Tag: Vulnerability Disclosure

  • CryptoCurrency, Blockchain, & SCADA

    [This was originally published on RiskBasedSecurity.com in the 2018 Q1 Vulnerability QuickView Report.] CryptoCurrency and Blockchain: The Latest Rage Blockchain technology, the foundation of CryptoCurrency such as Bitcoin, Ethereum, and countless others is starting to dominate the news. With the wild ride of Bitcoin prices, where one coin was worth around $19,000 in December, 2017…

  • The Blurred or Not So Blurred Lines Of Vulnerability Research

    [This was originally published on RiskBasedSecurity.com.] On April 18, 2018, vpnMentor disclosed a ‘critical’ vulnerability in LG NAS devices, which also received a bit of media attention. The blog leads with “Here at vpnMentor, we are concerned about your security and privacy.” However, that didn’t seem to apply to a specific system in South Korea. In their…

  • Researchers Find One Million Vulnerabilities?!

    [This was originally published on RiskBasedSecurity.com.] No researcher has yet claimed to find one million vulnerabilities, but we are sure to see that headline in the future. Every so often we see news articles touting a security researcher who found an incredible number of vulnerabilities in one product or vendor. Given that most disclosures involve…

  • Let’s X-ray SCMagazine…

    [This was originally published on the OSVDB blog.] Hopefully a really quick blog, but a section of a news article titled “Hackers are having a field day with stolen credentials” by Amol Sarwate, Qualys’ Director of Vulnerability Labs, published in SC Magazine caught my attention. The section: Let’s X-ray the attack methods Typically, hackers “fingerprint”…

  • NTIA, Bug Bounty Programs, and Good Intentions

    [This was originally published on the OSVDB blog.] [Note: This blog had been sitting as a 99% completed draft since early September. I lost track of time and forgot to finish it off then. Since this is still a relevant topic, I am publishing now despite it not being quite as timely in the context…

  • Yes, Font Files can Own Your Computer! For Over a Decade…

    [This was originally published on RiskBasedSecurity.com.] On February 5, the Cisco Talos research team published an advisory covering several vulnerabilities in the Graphite (a.k.a. libgraphite) project. According to the vendor page, it “is a ‘smart font’ system developed specifically to handle the complexities of lesser-known languages of the world.” This prompted the media and some in our industry to comment…

  • Vendors sure like to wave the “coordination” flag… (revisiting the ‘perfect storm’)

    [This was originally published on the OSVDB blog.] I’ve written about coordinated disclosure and the debate around it many times in the past. I like to think that I do so in a way that is above and beyond the usual old debate. This is another blog dedicated to an aspect of “coordinated” disclosure that…

  • An Analysis of Google’s Project Zero and Alleged Vendor Bias

    [This was originally published on RiskBasedSecurity.com.] Google announced a new initiative called Project Zero. The basic premise of the project was that Google invests heavily in their own security and had for quite some time been also tasking their researchers part time work on improving the security of other high-profile products. Project Zero is Google’s…

  • Microsoft’s latest plea for CVD is as much propaganda as sincere.

    [This was originally published on the OSVDB blog.] Earlier today, Chris Betz, senior director of the Microsoft Security Response Center (MSRC), posted a blog calling for “better coordinated vulnerability disclosure“. Before I begin a rebuttal of sorts, let me be absolutely clear. The entire OSVDB team is very impressed with Microsoft’s transition over the last…

  • The Five High-level Types of Vulnerability Reports

    [This was originally published on the OSVDB blog.] Based on a Twitter thread started by Aaron Portnoy that was replied to by @4Dgifts asking why people would debunk vulnerability reports, I offer this quick high-level summary of what we see, and how we handle it. Note that OSVDB uses an extensive classification system (that is…