Microsoft researcher found Apple 0-day in March, didn’t report it
Ut tensio, sic uis! Does twice the bug pile on twice the pressure to fix it? Continue reading Microsoft researcher found Apple 0-day in March, didn’t report it
Category Archives: disclosure
China Taking Control of Zero-Day Exploits
China is making sure that all newly discovered zero-day exploits are disclosed to the government.
Under the new rules, anyone in China who finds a vulnerability must tell the government, which will decide what repairs to make. No information can be given to “overseas organizations or individuals” other than the product’s manufacturer.
No one may “collect, sell or publish information on network product security vulnerabilities,” say the rules issued by the Cyberspace Administration of China and the police and industry ministries.
This just blocks the cyber-arms trade. It doesn’t prevent researchers from telling the products’ companies, even if they are outside of China…
NSA Discloses Vulnerabilities in Microsoft Exchange
Amongst the 100+ vulnerabilities patch in this month’s Patch Tuesday, there are four in Microsoft Exchange that were disclosed by the NSA.
Continue reading NSA Discloses Vulnerabilities in Microsoft Exchange
Should CVE be assigned to an application even if the vulnerability is in a vulnerable 3rd-party library?
I found a vulnerability in a library of vendor A, I reported it, they fixed it and I received a CVE.
We noticed that some application (let’s call it vendor B), contained the library of vendor A, we reported it, he updated the application w… Continue reading Should CVE be assigned to an application even if the vulnerability is in a vulnerable 3rd-party library?
Found a bug in a software product used by the pentesting customer; Who to report it to?
Let’s say I’m doing a pentest on BlueCorp and find a bug in the software UnrealSec made and distributed by SecCorp which is used by BlueCorp and found during said pentest. Should I report this bug to both BlueCorp and SecCorp or only one?
… Continue reading Found a bug in a software product used by the pentesting customer; Who to report it to?
How do open-source projects prevent disclosing a bug while fixing it?
I understand that many open-source projects request vulnerabilities not to be disclosed on their public bug tracker but rather by privately contacting the project’s security team, to prevent disclosing the bug before a fix is available. Th… Continue reading How do open-source projects prevent disclosing a bug while fixing it?
WhatsApp Discloses 6 Bugs via Dedicated Security Site
The company committed to more transparency about app flaws, with an advisory page aimed at keeping the community better informed of security vulnerabilities. Continue reading WhatsApp Discloses 6 Bugs via Dedicated Security Site
How to report PII leaks from a small business? [closed]
An HR consultancy I know has a big data protection issue. They company provides resume editing and interview coaching services. Some of the clients include Federal employees with active security clearances.
When loading a specific URL to a… Continue reading How to report PII leaks from a small business? [closed]
Course of actions after finding security flaw [duplicate]
I’ve found what I believe is a significant security flaw on quite a big platform. It can be exploited to obtain on the orders of millions of email addresses with some additional data. They’re big enough in that they have set up a customer … Continue reading Course of actions after finding security flaw [duplicate]
How do I inform a company I found a leaked database of theirs on the Internet? [duplicate]
Recently I found a leaked database of a company and I do not know how to go about contacting the company. It is so weird because I cannot find any type of Information Security contact email to report this to. It just has a support email. I… Continue reading How do I inform a company I found a leaked database of theirs on the Internet? [duplicate]