disclosure – Page 3 – WindowsTechs.com

China Taking Control of Zero-Day Exploits

Posted on July 14, 2021 by Bruce Schneier

China is making sure that all newly discovered zero-day exploits are disclosed to the government.

Under the new rules, anyone in China who finds a vulnerability must tell the government, which will decide what repairs to make. No information can be given to “overseas organizations or individuals” other than the product’s manufacturer.

No one may “collect, sell or publish information on network product security vulnerabilities,” say the rules issued by the Cyberspace Administration of China and the police and industry ministries.

This just blocks the cyber-arms trade. It doesn’t prevent researchers from telling the products’ companies, even if they are outside of China…

Continue reading China Taking Control of Zero-Day Exploits→

NSA Discloses Vulnerabilities in Microsoft Exchange

Posted on April 16, 2021 by Bruce Schneier

Amongst the 100+ vulnerabilities patch in this month’s Patch Tuesday, there are four in Microsoft Exchange that were disclosed by the NSA.
Continue reading NSA Discloses Vulnerabilities in Microsoft Exchange→

Should CVE be assigned to an application even if the vulnerability is in a vulnerable 3rd-party library?

Posted on March 11, 2021 by E235

I found a vulnerability in a library of vendor A, I reported it, they fixed it and I received a CVE.
We noticed that some application (let’s call it vendor B), contained the library of vendor A, we reported it, he updated the application w… Continue reading Should CVE be assigned to an application even if the vulnerability is in a vulnerable 3rd-party library?→

Found a bug in a software product used by the pentesting customer; Who to report it to?

Posted on November 26, 2020 by John Zhau

Let’s say I’m doing a pentest on BlueCorp and find a bug in the software UnrealSec made and distributed by SecCorp which is used by BlueCorp and found during said pentest. Should I report this bug to both BlueCorp and SecCorp or only one?
… Continue reading Found a bug in a software product used by the pentesting customer; Who to report it to?→

How do open-source projects prevent disclosing a bug while fixing it?

Posted on November 11, 2020 by Heinzi

I understand that many open-source projects request vulnerabilities not to be disclosed on their public bug tracker but rather by privately contacting the project’s security team, to prevent disclosing the bug before a fix is available. Th… Continue reading How do open-source projects prevent disclosing a bug while fixing it?→

WhatsApp Discloses 6 Bugs via Dedicated Security Site

Posted on September 4, 2020 by Elizabeth Montalbano

The company committed to more transparency about app flaws, with an advisory page aimed at keeping the community better informed of security vulnerabilities. Continue reading WhatsApp Discloses 6 Bugs via Dedicated Security Site→

How to report PII leaks from a small business? [closed]

Posted on June 25, 2020 by Joe Anonymous

An HR consultancy I know has a big data protection issue. They company provides resume editing and interview coaching services. Some of the clients include Federal employees with active security clearances.
When loading a specific URL to a… Continue reading How to report PII leaks from a small business? [closed]→

Course of actions after finding security flaw [duplicate]

Posted on May 31, 2020 by reveance

I’ve found what I believe is a significant security flaw on quite a big platform. It can be exploited to obtain on the orders of millions of email addresses with some additional data. They’re big enough in that they have set up a customer … Continue reading Course of actions after finding security flaw [duplicate]→

How do I inform a company I found a leaked database of theirs on the Internet? [duplicate]

Posted on May 26, 2020 by Robert Morris

Recently I found a leaked database of a company and I do not know how to go about contacting the company. It is so weird because I cannot find any type of Information Security contact email to report this to. It just has a support email. I… Continue reading How do I inform a company I found a leaked database of theirs on the Internet? [duplicate]→

Bug Bounty Programs Are Being Used to Buy Silence

Posted on April 3, 2020 by Bruce Schneier

Investigative report on how commercial bug-bounty programs like HackerOne, Bugcrowd, and SynAck are being used to silence researchers: Used properly, bug bounty platforms connect security researchers with organizations wanting extra scrutiny. In exchange for reporting a security flaw, the researcher receives payment (a bounty) as a thank you for doing the right thing. However, CSO’s investigation shows that the bug… Continue reading Bug Bounty Programs Are Being Used to Buy Silence→