http://it.slashdot.org/comments.pl?sid=396432&cid=21780042

That post seems rather illuminating. It suggests, among other things, that a lot of Security Focus' vulnerabilities may come from changelogs. Is there a way to tell when a vulnerability has or hasn't come from a changelog?

http://www.securityfocus.com/bid/32842/info

Due to the release dates, I think that vulnerability was pulled from a changelog. It was published on December 15, 2008 when phpBB 3.0.4 was, itself, released on December 12, 2008, per http://www.phpbb.com/community/viewtopic.php?f=14&t=1352565.

One thing I am unsure about, though... why was the vulnerability updated on March 30, 2009? I ask because I recently saw it in my RSS feed for Security Focus - presumably because of this update.

Also, why, when a vulnerability is found to be bogus does Security Focus flag it as RETIRED? This, to me, seems highly misleading. Why not flag it as BOGUS? Maybe Security Focus is trying to control their reputation by not belaboring the fact that they accepted a bogus vulnerability? If so, that would be rather hypocritical, it seems to me, given that Security Focus doesn't seem to give others the same courtesy, as evidenced by what the slashdot.org link referred to as "bottom-fishing changelogs".

And why are these "bottom-fishing changelog" submitters even given credit? If I disclose an exploit to Wordpress but not to Security Focus and Wordpress fixes it and notes it in their changelog, will some random third party come along and essentially steal the credit for it? If the source of vulnerability claim is, say, Wordpress's changelog, shouldn't Wordpress receive the credit? If The Pirate Bay worked liked Security Focus seems to, people wouldn't be downloading Microsoft Windows - they'd be downloading TPBRema Windows or m00ns Windows.

so what you're saying is "Don't diff files after revisions and look for fixes to security bugs"?

more specifically, it seems you're saying "do reveal how you found a bug". nobody is going to reveal how they found a bug. probably half the time it's some really lame reason (like changelogs). sometimes the reasons skate legal or ethical boundaries (or they may appear to). if you find 200 bugs in the same year in the same way, people will say that you're not innovating, even though you might be. it's just not common practice to say how you found a bug.

it's also very common practice to never give credit, but then to point fingers at those who don't give credit in the same breath. vulnerability researcher hypocrisy at its finest...

I can confirm that they indeed harvest changelogs; usually we (phpBB) get a request to explain all changelog entries marked as "Sec".
In the case linked above the credit is correct; Secunia and Securityfocus used the credit from the changelog.

What I found more troublesome was the rather high "security" score assigned to such - usually rather minor - issues. The "less" score used for rather limited information disclosure is also used for XSS vulnerabilities - which are potentially far worse.

ntp :
-------------------------------------------------------
> so what you're saying is "Don't diff after
> and look for fixes to "?
>
> more specifically, it seems you're saying "do
> reveal how you found a ". nobody is going to
> reveal how they found a . probably half the
> it's some really lame (like
> changelogs). sometimes the or
> ethical boundaries (or they may appear to). if
> you find 200 in the same year in the same
> way, people will say that you're not innovating,
> even though you might be. it's just not
> practice to say how you found a .

if you found a by looking in a changelog or looking at diffs then i don't think it is accurate to say that you were the one who first found the or the vulnerability. i also don't see how that could at all be innovative. if you come up with a new way to attack an vulnerability, that's innovation, but not if you just say "xss in wordpress 2.0".

for example, if the vulnerability samy exploited had been disclosed publicly, already, samy would still be innovative because it was breaking new ground. but most vulnerabilities on securityfocus don't do that - they just say that xss is possible and leave the exploit as an to the reader.

> it's also very practice to never give
> credit, but then to point at those who
> don't give credit in the same .
> vulnerability hypocrisy at its
> finest...

based on what i've seen at securityfocus, that seems like a fair assessment.

Kellanved :
-------------------------------------------------------
> What I found more troublesome was the rather high
> "" assigned to such - usually rather
> minor - issues. The "less" used for rather
> limited is also used for
> XSS vulnerabilities - which are potentially far
> .

alas, such is the breadth and depth of the diff kiddies possess.

here's some for thought:

http://devthought.com/blog/general/2009/02/the-four-stages-of-programming-/

are diff kiddies unconsciously incompetent?