Missouri Governor Doesn’t Understand Responsible Disclosure

The Missouri governor wants to prosecute the reporter who discovered a security vulnerability in a state’s website, and then reported it to the state.

The newspaper agreed to hold off publishing any story while the department fixed the problem and protected the private information of teachers around the state.

[…]

According to the Post-Dispatch, one of its reporters discovered the flaw in a web application allowing the public to search teacher certifications and credentials. No private information was publicly visible, but teacher Social Security numbers were contained in HTML source code of the pages…

Continue reading Missouri Governor Doesn’t Understand Responsible Disclosure

China Taking Control of Zero-Day Exploits

China is making sure that all newly discovered zero-day exploits are disclosed to the government.

Under the new rules, anyone in China who finds a vulnerability must tell the government, which will decide what repairs to make. No information can be given to “overseas organizations or individuals” other than the product’s manufacturer.

No one may “collect, sell or publish information on network product security vulnerabilities,” say the rules issued by the Cyberspace Administration of China and the police and industry ministries.

This just blocks the cyber-arms trade. It doesn’t prevent researchers from telling the products’ companies, even if they are outside of China…

Continue reading China Taking Control of Zero-Day Exploits

Should CVE be assigned to an application even if the vulnerability is in a vulnerable 3rd-party library?

I found a vulnerability in a library of vendor A, I reported it, they fixed it and I received a CVE.
We noticed that some application (let’s call it vendor B), contained the library of vendor A, we reported it, he updated the application w… Continue reading Should CVE be assigned to an application even if the vulnerability is in a vulnerable 3rd-party library?

Found a bug in a software product used by the pentesting customer; Who to report it to?

Let’s say I’m doing a pentest on BlueCorp and find a bug in the software UnrealSec made and distributed by SecCorp which is used by BlueCorp and found during said pentest. Should I report this bug to both BlueCorp and SecCorp or only one?
Continue reading Found a bug in a software product used by the pentesting customer; Who to report it to?

How do open-source projects prevent disclosing a bug while fixing it?

I understand that many open-source projects request vulnerabilities not to be disclosed on their public bug tracker but rather by privately contacting the project’s security team, to prevent disclosing the bug before a fix is available. Th… Continue reading How do open-source projects prevent disclosing a bug while fixing it?

WhatsApp Discloses 6 Bugs via Dedicated Security Site

The company committed to more transparency about app flaws, with an advisory page aimed at keeping the community better informed of security vulnerabilities. Continue reading WhatsApp Discloses 6 Bugs via Dedicated Security Site