There’s a new full disclosure website in town – http://www.vs-db.info names and shames those with web application vulnerabilities (like SQL injection, XSS, XSRF, CRLF injection, etc.), without providing enough details for exploit.

A very interesting development in the disclosure debate.

A few weeks ago, Charlie Miller, Alex Sotirov, and I [Dai Zovi] arrived on a new meme: No More Free Bugs.

Therefore, reporting vulnerabilities for free without any legal agreements in place is risky volunteer work.  There are a number of legitimate alternatives to the risky proposition of volunteering free vulnerabilities and I have already mentioned a few (I don’t want to turn this into an advertisement or discussion on the best/proper way to monetize security research).   There just need to be more legal and transparent options for monetizing security research.  This would provide a fair market value for a researcher’s findings and incentivize more researchers to find and report vulnerabilities to these organizations.

A few months ago I found a XSS vulnerability in a product used by many people. I contacted the vendor, which happens to be a very large entity. (No, it’s not Microsoft, but that’s the only hint I’ll give). Here’s the timeline of what’s happened so far:

• Dec 18 2008 – I send an email informaing them of the problem, and showing them what was needed to replicate it.
• January 8 2009 – They sent me a response saying they were “evaluating and will get back to me”.
• Feb 12 2009 – I send a followup email asking what’s going on.
• March 5, 2009 – I get a response saying that they have verified the issue, and are working on a fix.

So, does this seem like a reasonable timeline? Should I be pushing harder? This isn’t the biggest vulnerability in the world, but it still seems like something that should be fixed, and the fix shouldn’t be that hard.

ISC is reporting that they’re seeing exploits of MS09-002 in the wild. MS09-002 is an exploit which allows for remote code execution on IE7. The vulnerability was first reported to MS in October of 2007 by the Zero Day Initiative. Microsoft issued the patch a week ago. Given this, ISC is also claiming that it is likely that the patch was reverse engineered to find the vulnerability, and I would have to agree. I’m sure the anti-disclosure crowd will be using this one as proof positive for their position in the future.