Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
This is a place for us to start seriously talking about vendors. Who's great, who's not, what's it cost, how does it relate to their competitors and would we buy it? A place to talk about snakeoil, and brilliant products alike. Marketing fluff is forbidden. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
questions about how securityfocus works
Posted by: slacker
Date: April 05, 2009 11:10AM

http://it.slashdot.org/comments.pl?sid=396432&cid=21780042

That post seems rather illuminating. It suggests, among other things, that a lot of Security Focus' vulnerabilities may come from changelogs. Is there a way to tell when a vulnerability has or hasn't come from a changelog?

http://www.securityfocus.com/bid/32842/info

Due to the release dates, I think that vulnerability was pulled from a changelog. It was published on December 15, 2008 when phpBB 3.0.4 was, itself, released on December 12, 2008, per http://www.phpbb.com/community/viewtopic.php?f=14&t=1352565.

One thing I am unsure about, though... why was the vulnerability updated on March 30, 2009? I ask because I recently saw it in my RSS feed for Security Focus - presumably because of this update.

Also, why, when a vulnerability is found to be bogus does Security Focus flag it as RETIRED? This, to me, seems highly misleading. Why not flag it as BOGUS? Maybe Security Focus is trying to control their reputation by not belaboring the fact that they accepted a bogus vulnerability? If so, that would be rather hypocritical, it seems to me, given that Security Focus doesn't seem to give others the same courtesy, as evidenced by what the slashdot.org link referred to as "bottom-fishing changelogs".

And why are these "bottom-fishing changelog" submitters even given credit? If I disclose an exploit to Wordpress but not to Security Focus and Wordpress fixes it and notes it in their changelog, will some random third party come along and essentially steal the credit for it? If the source of vulnerability claim is, say, Wordpress's changelog, shouldn't Wordpress receive the credit? If The Pirate Bay worked liked Security Focus seems to, people wouldn't be downloading Microsoft Windows - they'd be downloading TPBRema Windows or m00ns Windows.

Options: ReplyQuote
Re: questions about how securityfocus works
Posted by: ntp
Date: April 24, 2009 04:30PM

so what you're saying is "Don't diff files after revisions and look for fixes to security bugs"?

more specifically, it seems you're saying "do reveal how you found a bug". nobody is going to reveal how they found a bug. probably half the time it's some really lame reason (like changelogs). sometimes the reasons skate legal or ethical boundaries (or they may appear to). if you find 200 bugs in the same year in the same way, people will say that you're not innovating, even though you might be. it's just not common practice to say how you found a bug.

it's also very common practice to never give credit, but then to point fingers at those who don't give credit in the same breath. vulnerability researcher hypocrisy at its finest...

Options: ReplyQuote
Re: questions about how securityfocus works
Posted by: Kellanved
Date: April 28, 2009 06:59AM

I can confirm that they indeed harvest changelogs; usually we (phpBB) get a request to explain all changelog entries marked as "Sec".
In the case linked above the credit is correct; Secunia and Securityfocus used the credit from the changelog.

What I found more troublesome was the rather high "security" score assigned to such - usually rather minor - issues. The "less" score used for rather limited information disclosure is also used for XSS vulnerabilities - which are potentially far worse.

Options: ReplyQuote
Re: questions about how securityfocus works
Posted by: slacker
Date: April 29, 2009 08:17PM

ntp :
-------------------------------------------------------
> so what you're saying is "Don't diff after
> and look for fixes to "?
>
> more specifically, it seems you're saying "do
> reveal how you found a ". nobody is going to
> reveal how they found a . probably half the
> it's some really lame (like
> changelogs). sometimes the or
> ethical boundaries (or they may appear to). if
> you find 200 in the same year in the same
> way, people will say that you're not innovating,
> even though you might be. it's just not
> practice to say how you found a .

if you found a by looking in a changelog or looking at diffs then i don't think it is accurate to say that you were the one who first found the or the vulnerability. i also don't see how that could at all be innovative. if you come up with a new way to attack an vulnerability, that's innovation, but not if you just say "xss in wordpress 2.0".

for example, if the vulnerability samy exploited had been disclosed publicly, already, samy would still be innovative because it was breaking new ground. but most vulnerabilities on securityfocus don't do that - they just say that xss is possible and leave the exploit as an to the reader.

> it's also very practice to never give
> credit, but then to point at those who
> don't give credit in the same .
> vulnerability hypocrisy at its
> finest...

based on what i've seen at securityfocus, that seems like a fair assessment.

Kellanved :
-------------------------------------------------------
> What I found more troublesome was the rather high
> "" assigned to such - usually rather
> minor - issues. The "less" used for rather
> limited is also used for
> XSS vulnerabilities - which are potentially far
> .

alas, such is the breadth and depth of the diff kiddies possess.

here's some for thought:

http://devthought.com/blog/general/2009/02/the-four-stages-of-programming-/

are diff kiddies unconsciously incompetent?

Options: ReplyQuote


Sorry, only registered users may post in this forum.