Vulnerability Disclosure

Google to offer up to 20K prize for bug finds

By

Google has significantly increased its finder's fee for vulnerability researchers.

Adobe to release quarterly updates to address critical bugs

By

Adobe announced Friday that it intends to release its quarterly updates next week.

Researcher again discloses multiple SCADA flaws

By

An Italian analyst said he spent little time finding a new batch of vulnerabilities impacting industrial control systems.

Adobe issues critical updates for Flash, Shockwave

By

Critical updates were released for Adobe Flash Player, Flash Media Server, Shockwave Player and Photoshop CS5.

Facebook offers $500 bounty for security bugs

By

The company joins several other high-profile web brands by providing awards to researchers who privately disclose flaws, such as cross-site scripting.

Microsoft issues four patches for 22 flaws

By

A vulnerability addressed Tuesday by Microsoft is present in the Bluetooth stack and places mobile users at risk to compromise.

Standardized vulnerability reporting framework unveiled

By

The new Common Vulnerability Reporting Framework (CVRF) was designed to provide a common method for the creation, dissemination and consumption of security vulnerability data.

Microsoft updates "coordinated" bug program

By

Microsoft on Wednesday announced new components to its Coordinated Vulnerability Disclosure program, unveiled last summer to enhance transparency around the discovery, response and handling of security flaws.

Microsoft's April patch batch to address 64 flaws

By

Microsoft's planned security update for next week likely will include a fix for a vulnerability that is being actively exploited.

Number of reported vulnerabilities spiked in 2010

By

System flaws and exploits dramatically jumped last year, but the news is not all bad, as many of the bugs were discovered by their creators.

Oracle's MySQL.com hacked via SQL injection

By

Hackers over the weekend compromised Oracle's MySQL.com customer website via SQL injection and posted a list of usernames and passwords online.

Microsoft closes four vulnerabilities, including DLL issues

By

Microsoft on Tuesday issued three patches to close four vulnerabilities that try to use a new remote attack vector to spread malware.

Standing up for the freedom of information, with the help of a security bug

By

In this instance, the public fervor isn't over the release of secret diplomatic cables but a U.K. academic paper detailing a vulnerability in chip-and-PIN.

Exploit code posted for new Internet Explorer flaw

By

An exploit taking advantage of an unpatched vulnerability in Internet Explorer (IE) has gone public.

Facebook updates bug disclosure policy

By

Facebook has altered the wording of its vulnerability disclosure policy to make it less strict.

Mozilla extends bounty program to web applications

By

Mozilla on Wednesday began offering cash rewards to researchers who discover vulnerabilities in its web applications. The move extends the company's bounty program beyond incentives for finding flaws only in its Firefox web browser, or web applications that are considered "critical" or "extraordinary" risks to customer security, according to a Tuesday blog post. Bounties will range from $500 to $3,000. A list of the domains and web applications covered under the expanded program are listed here. - DK

Microsoft to address IE, Stuxnet flaws, 38 others

By

Two publicly known issues are expected to be addressed Tuesday when Microsoft releases 17 patches to correct 40 product vulnerabilities.

Barracuda first security vendor to pay for bug finds

By

Email and web security provider Barracuda Networks announced Tuesday that it has launched a bug bounty program, becoming what is believed to be the first security vendor to award money to researchers who uncover vulnerabilities in its product line. Flaw finders can cash in between $500 and $3133.70 for locating bugs that compromise confidentiality, availability, integrity or authentication, according to Barracuda. Software providers such as Google and Mozilla offer similar programs. - DK

Google extends bug bounties to YouTube, other sites

By

Google on Monday announced plans to extend its existing Chrome browser bounty program to cover some of its other properties, such as YouTube, Blogger and Orkut.

Microsoft fixes another Stuxnet-related bug, 10 others

By

Microsoft devoted yet another patch this month to close off the possible spread of the insidious Stuxnet worm, which was built to target industrial control systems, specifically products manufactured by SCADA manufacturer Siemens.

Twitter fixes XSS flaw after being exploited

By

Cybercriminals this week took advantage of a cross-site scripting vulnerability on Twitter that since has been fixed, according to security researchers

Microsoft studies report of IE zero-day after disclosure

By

Microsoft is investigating the public report of a data-stealing vulnerability impacting its newest web browser, Internet Explorer (IE) 8.

Google releases Chrome 6

By

Google on Thursday acknowledged the two-year anniversary of its Chrome browser with a new stable channel version that addresses more than a dozen security vulnerabilities. The flaws may allow an attacker to execute arbitrary code, bypass security restrictions, obtain sensitive information, or conduct spoofing attacks, according to an advisory posted by the US-CERT on Friday. Google, which provides monetary rewards for the disclosure of security bugs, paid out $4,337 in bounties for the vulnerabilities. The Chrome 6.0.472.53 stable channel update is available for Windows, Mac and Linux users. — AM

IBM admits erring in statistics on vendor patching

By

The IBM X-Force research team has revised a part of its recently released trends and risk report that analyzed how well popular software vendors did in patching vulnerabilities disclosed in the first half of the year.

IBM report shows new flaws skyrocket in first half of year

By

IBM X-Force's mid-year threat report examined trends in vulnerability disclosures, techniques used to foist malware and risks to virtual environments, plus much more.

Google fixes 11 flaws in Chrome

By

Google late last week fixed 11 security flaws in its Chrome web browser that could allow an attacker to execute arbitrary code, cause a denial-of-service, or conduct spoofing attacks, according to an advisory from the US-CERT. Google, which provides monetary rewards for the disclosure of security bugs, paid more than $10,000 to various researchers for the flaws. The Google Chrome 5.0.375.127 stable channel update is available for Windows, Mac and Linux users. — AM

The bug bounty debate: Black Hat 2010 panelists debate the merits of vendors paying for vulnerabilities

By

Alex Stamos of iSEC partners offers his take on the usefulness of incentive programs that encourage researchers to privately report vulnerabilities to vendors, in exchange for cash. While the initiatives might fatten the wallets of bug hunters, some believe it taints the mission of white-hat hackers.

ZDI bug bounty program imposes fix deadline for vendors

By

In an effort to take back some of the control from vendors, the leading third-party bug bounty program plans to give providers six months to fix reported vulnerabilities -- or face limited public disclosure.

Microsoft announces "coordinated" plan for bug reporting

By

Microsoft on Thursday unveiled a new initiative that attempts to reframe the debate around vulnerability disclosure.

Google: Plug critical holes within 60 days across industry

By

Fresh off the controversy of one of its researchers publicly dropping a Microsoft zero-day vulnerability, Google now is hoping to lead the development of industry-accepted standards for vulnerability disclosure.

Sign up to our newsletters

RECENT COMMENTS

FOLLOW US