Vulnerability Disclosure News, Articles and Updates
Google has significantly increased its finder's fee for vulnerability researchers.
Adobe announced Friday that it intends to release its quarterly updates next week.
An Italian analyst said he spent little time finding a new batch of vulnerabilities impacting industrial control systems.
Critical updates were released for Adobe Flash Player, Flash Media Server, Shockwave Player and Photoshop CS5.
The company joins several other high-profile web brands by providing awards to researchers who privately disclose flaws, such as cross-site scripting.
A vulnerability addressed Tuesday by Microsoft is present in the Bluetooth stack and places mobile users at risk to compromise.
The new Common Vulnerability Reporting Framework (CVRF) was designed to provide a common method for the creation, dissemination and consumption of security vulnerability data.
Microsoft on Wednesday announced new components to its Coordinated Vulnerability Disclosure program, unveiled last summer to enhance transparency around the discovery, response and handling of security flaws.
Microsoft's planned security update for next week likely will include a fix for a vulnerability that is being actively exploited.
System flaws and exploits dramatically jumped last year, but the news is not all bad, as many of the bugs were discovered by their creators.
Hackers over the weekend compromised Oracle's MySQL.com customer website via SQL injection and posted a list of usernames and passwords online.
Microsoft on Tuesday issued three patches to close four vulnerabilities that try to use a new remote attack vector to spread malware.
In this instance, the public fervor isn't over the release of secret diplomatic cables but a U.K. academic paper detailing a vulnerability in chip-and-PIN.
An exploit taking advantage of an unpatched vulnerability in Internet Explorer (IE) has gone public.
Facebook has altered the wording of its vulnerability disclosure policy to make it less strict.
Mozilla on Wednesday began offering cash rewards to researchers who discover vulnerabilities in its web applications. The move extends the company's bounty program beyond incentives for finding flaws only in its Firefox web browser, or web applications that are considered "critical" or "extraordinary" risks to customer security, according to a Tuesday blog post. Bounties will range from $500 to $3,000. A list of the domains and web applications covered under the expanded program are listed here. - DK
Two publicly known issues are expected to be addressed Tuesday when Microsoft releases 17 patches to correct 40 product vulnerabilities.
Email and web security provider Barracuda Networks announced Tuesday that it has launched a bug bounty program, becoming what is believed to be the first security vendor to award money to researchers who uncover vulnerabilities in its product line. Flaw finders can cash in between $500 and $3133.70 for locating bugs that compromise confidentiality, availability, integrity or authentication, according to Barracuda. Software providers such as Google and Mozilla offer similar programs. - DK
Google on Monday announced plans to extend its existing Chrome browser bounty program to cover some of its other properties, such as YouTube, Blogger and Orkut.
Microsoft devoted yet another patch this month to close off the possible spread of the insidious Stuxnet worm, which was built to target industrial control systems, specifically products manufactured by SCADA manufacturer Siemens.
Cybercriminals this week took advantage of a cross-site scripting vulnerability on Twitter that since has been fixed, according to security researchers
Microsoft is investigating the public report of a data-stealing vulnerability impacting its newest web browser, Internet Explorer (IE) 8.
Google on Thursday acknowledged the two-year anniversary of its Chrome browser with a new stable channel version that addresses more than a dozen security vulnerabilities. The flaws may allow an attacker to execute arbitrary code, bypass security restrictions, obtain sensitive information, or conduct spoofing attacks, according to an advisory posted by the US-CERT on Friday. Google, which provides monetary rewards for the disclosure of security bugs, paid out $4,337 in bounties for the vulnerabilities. The Chrome 6.0.472.53 stable channel update is available for Windows, Mac and Linux users. — AM
The IBM X-Force research team has revised a part of its recently released trends and risk report that analyzed how well popular software vendors did in patching vulnerabilities disclosed in the first half of the year.
IBM X-Force's mid-year threat report examined trends in vulnerability disclosures, techniques used to foist malware and risks to virtual environments, plus much more.
Google late last week fixed 11 security flaws in its Chrome web browser that could allow an attacker to execute arbitrary code, cause a denial-of-service, or conduct spoofing attacks, according to an advisory from the US-CERT. Google, which provides monetary rewards for the disclosure of security bugs, paid more than $10,000 to various researchers for the flaws. The Google Chrome 5.0.375.127 stable channel update is available for Windows, Mac and Linux users. — AM
The bug bounty debate: Black Hat 2010 panelists debate the merits of vendors paying for vulnerabilitiesAugust 16, 2010
Alex Stamos of iSEC partners offers his take on the usefulness of incentive programs that encourage researchers to privately report vulnerabilities to vendors, in exchange for cash. While the initiatives might fatten the wallets of bug hunters, some believe it taints the mission of white-hat hackers.
In an effort to take back some of the control from vendors, the leading third-party bug bounty program plans to give providers six months to fix reported vulnerabilities -- or face limited public disclosure.
Microsoft on Thursday unveiled a new initiative that attempts to reframe the debate around vulnerability disclosure.
Fresh off the controversy of one of its researchers publicly dropping a Microsoft zero-day vulnerability, Google now is hoping to lead the development of industry-accepted standards for vulnerability disclosure.
SC Magazine Articles
- Blasphemy! Godless malware preys on nearly 90 percent of Android devices
- 'Password attacks' continue; Citrix becomes latest victim
- Guccifer 2.0 out - Cozy Bear, Fancy Bear hacked DNC, Fidelis analysis shows
- Acer breach caused by improperly stored data
- Check Point tracks two waves of Cerber ransomware hitting U.S., UK
- CEO sacked after aircraft company grounded by whaling attack
- Microsoft warns of new, self-propagating ransomware in the wild
- Wendy's POS breach 'considerably' bigger than first thought
- No hacking required: Israeli researchers show how to steal data through PC components