[VIM] Re: discuss: VulnDisco

security curmudgeon jericho at attrition.org
Wed May 18 00:58:57 EDT 2005


: Ignoring the ethical questions that it raises regarding disclosure,
: the report does not provide sufficient information that
: 
:  - could allow a DB to know if the issue is truly 0day (i.e., to make
:    sure it's not a duplicate of something that's already in the DB)

I haven't looked, but there is a chance some of them could be determined. 
"Product X remote overflow" would be new if we found no mention of that 
product having a remote overflow before. Still not that helpful since 
previous entries might be "remote DoS" and it is unclear that it was an 
overflow causing the DoS.

:  - could allow a vendor to validate and repair the issue
: 
:  - could allow a third party to validate and repair the issue

The best hope of getting it validated at all would be them providing a 
copy to Dave Aitel or Immunity and getting some kind of confirmation that 
the exploits are real. It would still leave a lot of this up in the air, 
but having someone I trust technically to validate them helps a lot.

: Then again, it's not much less informative than security advisories from 
: some vendors.

So true =)

: How's that for a non-answer? ;-)

Hah, exactly what I expected actually. This is a rough issue for VDBs.

: (I'm still thinking about it for CVE.)

I'm keeping track of them so far, but not making entries. I'm curious if 
just the postings so far will prompt someone to find the vulns and 
disclose them. 


More information about the VIM mailing list