Tag: Vulnerability Disclosure

  • OSVDB – Classification: Exploit Status Overhaul

    [This was originally published on the OSVDB blog.] OSVDB’s classification system is designed to categorize certain attributes of a vulnerability. This facilitates custom searches by a specific attribute, helps researchers develop metrics and gives a better picture of the vulnerability landscape. Until now, we’ve tracked if an exploit is ‘available’, ‘unavailable’, ‘rumored / private’ or…

  • And You Will Know me by the Trail of Bits… (no more free bugs)

    http://blog.trailofbits.com/2009/03/22/no-more-free-bugs/ This sums up the direction I have been heading in for some time now with regards to vulnerability disclosure. After ten years of handling vulnerability disclosure for various companies and OSVDB, I am fed up with the process. It always involves an incredible amount of time and effort hand-holding the vendor, explaining concepts they…

  • Who’s to blame? The hazard of “0-day”.

    [This was originally published on the OSVDB blog.] This blog entry is probably worth many pages of ranting, examining and dissecting the anatomy of a 0-day panic and the resulting fallout. Since this tends to happen more often than some of us care to stomach, I’ll touch on the major points and be liberal in…

  • New Classification: Discovered In the Wild

    [This was originally published on the OSVDB blog.] [October 24, 2020 Update: Since creating this flag, VulnDB now has 629 entries flagged as such.] In a recent discussion on the security metrics mailing list, Pete Lindstrom put forth a rough formula to throw out a number of vulnerabilities that have been discovered versus undiscovered. One…

  • arfis: Automated Remote File Inclusion Search

    [This was originally published on the OSVDB blog.] Nutshell What you see here is the output of the ”arfis project”, a simple perl script. It automatically downloads and extract PHP projects from sourceforge.net and checks for Remote File Inclusion vulnerabilities. It then post’s the potential (now it’s -potential-, cause the script is in an early…

  • Month of Search Engine Bugs (MoSEB) Follow-up

    [This was originally published on the OSVDB blog.] Yes yes, yet another “Month of..” campaign. If you track the mail lists, you may have seen a post about a “Month of [something]” Bugs. Despite little follow-up, this campaign is going strong on the 17th day demonstrating a variety of vulnerabilities in lycos.com, search.myway.com, images.google.com, mamma.com,…

  • The value of 0-day…

    [This was originally published on the OSVDB blog.] Another interesting article regarding the value of 0-day vulnerabilities. Rob Lemos relates the stories of a few researchers who sold their 0-day vulnerability/exploit information for big dollars. The twist here, which is news to some, is who purchased it (the .gov) and for how much (as high…

  • Site Specific Vulnerabilities – New Site Tracking XSS

    [This was originally published on the OSVDB blog.] A while back I wrote about VDBs and site specific vulnerabilities. The general consensus is that VDBs should not track site specific vulnerabilities, even though some do for bigger sites that provide services (i.e. Google, Gmail, Yahoo). While OSVDB does not, we recently ran across a site…

  • VDB Searching Headache: Apache

    [This was originally published on the OSVDB blog.] I had the need to search for Apache vulnerabilities today for the pesky day job. One word, one search and four hours later I realized just how bad our Apache entries were. Enter headache #1. Unfortunately, the rest of the VDBs were no better. What did I…

  • Month of Search Engines Bugs (MOSEB)

    [This was originally published on the OSVDB blog.] It was bound to happen, now we get to see a Month of Search Engine Bugs. It would be nice if this effort included some bugs with meat rather than relatively obscure cross-site scripting issues. The time has come for announcement of my new project – Month…