Tag: Vulnerability Disclosure

  • The value of 0-day…

    [This was originally published on the OSVDB blog.] Another interesting article regarding the value of 0-day vulnerabilities. Rob Lemos relates the stories of a few researchers who sold their 0-day vulnerability/exploit information for big dollars. The twist here, which is news to some, is who purchased it (the .gov) and for how much (as high […]

  • Site Specific Vulnerabilities – New Site Tracking XSS

    [This was originally published on the OSVDB blog.] A while back I wrote about VDBs and site specific vulnerabilities. The general consensus is that VDBs should not track site specific vulnerabilities, even though some do for bigger sites that provide services (i.e. Google, Gmail, Yahoo). While OSVDB does not, we recently ran across a site […]

  • VDB Searching Headache: Apache

    [This was originally published on the OSVDB blog.] I had the need to search for Apache vulnerabilities today for the pesky day job. One word, one search and four hours later I realized just how bad our Apache entries were. Enter headache #1. Unfortunately, the rest of the VDBs were no better. What did I […]

  • Month of Search Engines Bugs (MOSEB)

    [This was originally published on the OSVDB blog.] It was bound to happen, now we get to see a Month of Search Engine Bugs. It would be nice if this effort included some bugs with meat rather than relatively obscure cross-site scripting issues. The time has come for announcement of my new project – Month […]

  • Analogies Keep Failing

    [This was originally published on the OSVDB blog.] One of the most often used, and later debated, analogies used for actions in the security/hacker industry is that of comparing port scanning to walking down a road checking doors and windows to see which are unlocked. This is fundamentally flawed because port scanning looks for open […]

  • [update] Month of PHP Bugs

    [This was originally published on the OSVDB blog.] I previously blogged about the Month of PHP Bugs [MOPB], an effort lead by Stefan Esser and the Hardened PHP Project to raise awareness about vulnerabilities in the PHP language. The month has come and passed and of course I have to wonder about a few things. […]

  • Month of MySpace Bugs (MOMSB)

    [This was originally published on the OSVDB blog.] Yes, the trend continues and gets more .. odd. The Washington Post decided to cover this story giving it more attention than it probably deserves. From the home page of the effort: The purpose of the exercise is not so much to expose Myspace as a hive […]

  • Month of PHP Bugs

    [This was originally published on the OSVDB blog.] Hell hath no fury like a PHP developer scorned… http://blog.php-security.org/archives/46-Month-of-PHP-bugs.html During the last months there have been the Month of the Browser bugs and the Month of the Kernel bugs projects that tried to raise awareness for security vulnerabilities in browsers and kernels. After thinking a bit […]

  • Month of .. who?!

    [This was originally published on the OSVDB blog.] http://rixstep.com/2/20070104,00.shtml A Month of Rixstep Bugs It’s a win-win proposition. Starting now and for the duration of January 2007 Rixstep will be holding a ‘Month of Rixstep Bugs’ campaign: find a bug in any Rixstep software product and win a prize. It’s not a win-win proposition, it […]

  • reply: MJR: The Vulnerability Disclosure Game: Are We More Secure?

    [This was originally published on the OSVDB blog.] The Vulnerability Disclosure Game: Are We More Secure?http://www2.csoonline.com/exclusives/column.html?CID=28072By Marcus J. Ranum Do you remember the original premise of the disclosure game? By publicly announcing vulnerabilities in products we will force the vendors to be more responsive in fixing them, and security will be better. Remember that one? […]