Tag: Vulnerability Disclosure

  • reply: Microsoft: Responsible Vulnerability Disclosure Protects Users

    [This was originally published on the OSVDB blog.] Microsoft: Responsible Vulnerability Disclosure Protects Usershttp://www2.csoonline.com/exclusives/column.html?CID=28071By Mark Miller, Director, Microsoft Security Response Center Responsible disclosure, reporting a vulnerability directly to the vendor and allowing sufficient time to produce an update, benefits the users and everyone else in the security ecosystem by providing the most comprehensive and highest-quality […]

  • Bogus RFI Reports Getting Out of Hand

    [This was originally published on the OSVDB blog.] I know we’re all getting tired of the Remote File Inclusion (RFI) vulnerabilities being disclosed that end up being debunked, but this one takes the cake so far (yes I’m behind on e-mail). Fri Jun 16 2006http://archives.neohapsis.com/archives/bugtraq/2006-06/0321.html(1) path/action.php, and to files in path/nucleus including (2) media.php, (3) […]

  • [product] (script.php) Remote File Include [exploit|vulnerability]

    [This was originally published on the OSVDB blog.] Somewhere out there is a point-and-click web application that allows neophyte “security researchers” (yes, that is a joke) to quickly whip up their very own Bugtraq or Full-Disclosure post. I’m sure others have noticed this as well? More and more of the disclosures have too much in […]

  • Month of Kernel Bugs (MoKB)

    [This was originally published on the OSVDB blog.] First it was the Month of Browser Bugs (MoBB), now it is the Month of Kernel Bugs (MoKB). When I first read about it, I immediately thought of thirty odd entries about Linux Kernel Local DoS conditions. My pessimism is born out of the numerous local DoS […]

  • Insert a classy pun.

    [This was originally published on the OSVDB blog.] This entry should have been published days ago. On top of being overly busy and spread thin, I ran into a big problem related to finding a reference I wanted to include, which will lead to this being a little more ranty than intended. How is it […]

  • Full Disclosure Debate Bibliography

    [This was originally published on the OSVDB blog.] Paul Clark, Systems Librarian at the Wilderness Coast Public Libraries, has created an excellent timeline of Full Disclosure related articles. Unfortunately, mail to him is bouncing and it hasn’t been updated since 2004. Would be great to see someone pick this up.

  • Matousec’s Vulnerability Value

    [This was originally published on the OSVDB blog.] Since the debate about pay-for-disclosure started, some folks have wondered what vulnerabilities are worth. We’ve seen companies like Verisign/iDefense and Tipping Point/ZDI offer serious money for vulnerabilities in the past. Adding to the mix, matousec.com has published a purchase page with prices of some of their vulnerability […]

  • Vendor Disclosure Process

    [This was originally published on the OSVDB blog.] Ever wondered what some of the bigger vendors do in response to vulnerability Disclosure? Federico Biancuzzi has written an article on his Disclosure survey which may answer the question for you. Apple, Computer Associates, Google, IBM, Microsoft, Novell, Oracle, Red Hat, SAP, Sun Microsystems and Yahoo all […]

  • Wanna Date?

    [This was originally published on the OSVDB blog.] No, this isn’t some odd contest with a disappointing reward. Date an OSVDB moderator! *shudder* Think of dates in the context of vulnerability disclosure. Think of how many dates we don’t know, even in the more formal advisories (some with time lines even). OSVDB currently tracks three […]

  • Vulnerability Research Food Chain

    [This was originally published on the OSVDB blog.] I’ve mentioned the sociology aspect of the hacker, vuln researcher and security companies before, specifically how they interact, how one will influence another and more. The list of fun ideas I have on these topics is great, and maybe some day i’ll find the time to write […]