Tag: Vulnerability Disclosure

  • The curiously creeping value of the iOS vulnerability…

    [This was originally published on the OSVDB blog.] The market for vulnerabilities has grown rapidly the last five years. While the market is certainly not new, going back well over ten years, more organizations are interested in acquiring 0-day / private vulnerabilities for a variety of needs. These vulnerabilities cover the gambit in applications and…

  • Local File Inclusion vs Arbitrary File Access

    [This was originally published on the OSVDB blog.] Notes for this blog have been lingering for over three years now. In the daily grind to aggregate vulnerabilities, the time to write about them gets put on the back burner frequently. Rest assured, this is not a new issue by any means. Back in the day,…

  • Mobile Devices and Exploit Vector Absurdity

    [This was originally published on the OSVDB blog.] The last few days has seen several vulnerabilities disclosed that include serious gaps in logic with regard to exploitation vectors. What is being called “remote” is not. What is being called “critical” is not. Here are a few examples to highlight the problem. We beg of you,…

  • Security, Ethics, and University

    [This was originally published on the OSVDB blog.] In the U.S., you are expected to know and live by certain ethical standards related to school. You are taught early on that plagiarism is bad for example. You are taught that school experiments should be done in a safe manner, that does not harm people or…

  • Our Straw House: Vulnerabilities

    I was asked by RVAsec to fill in as a last minute replacement for a speaker that canceled. The topic of Vulnerability Databases (VDBs) is very familiar to me, so the only trick was cramming an intricate topic into about 50 minutes. Overall, I attempt to enumerate the serious weaknesses in most VDBs that make…

  • Researcher Security Advisory Writing Guidelines

    [This was originally published on the OSVDB blog.] Researcher Security Advisory Writing GuidelinesOpen Security Foundation / OSVDB.orgmoderators at osvdb.org This document has been prepared by the Open Security Foundation (OSF) to assist security researchers in working with vendors and creating advisories. Security advisories help convey important information to the community, regardless of your goals or…

  • Rebuttal: Put Up or Shut Up Rafal

    [This was originally published on attrition.org. This is a rebuttal piece to Small Office, Big [Software/eHealth] Problems (2010-11-18) by @wh1t3rabbit (Rafal Los).] I’m not saying that open source sofware [sic] has more issues than commercial, closed-source code …but I don’t think I’ll find anyone to argue against that it’s more difficult to find corporate-level accountability with open-source software…

  • OSVDB – Creditee System Overhauled

    [This was originally published on the OSVDB blog.] Thanks to Dave, we now have a completely re-written creditee system. For years, we operated off a four field system (name, email, company, url) for tracking vulnerability researchers. While we tracked that information, it was not flexible and led to serious problems with data integrity. Even worse,…

  • Responsible Disclosure – Old Debate, Fresh Aspects?!

    [This was originally published on the OSVDB blog.] Earlier this evening, there was a Twitter debate regarding a proposed standard for responsible vulnerability disclosure. It referred to ISO/IEC 29147, a proposed standard for responsibly disclosing a vulnerability. Dino Dai Zovi brought up a fresh angle, that the “responsible disclosure” name itself completely ignored the aspect…

  • Vendors & researchers, no more decade old embargo!

    [This was originally published on the OSVDB blog.] Vulnerabilities reported ten years ago, they have no impact on your customers. If they do, then you are woefully behind and your customers are desperately hanging on to legacy products, scared to upgrade. For vendors who have kept up on security and adopted a responsible and timely…