Articles about vulnerability disclosure

So long and thanks for all the fixes: ERPScan left out of credits on Oracle bug-bash list

Oracle fixed 17 flaws in its products found by ERPScan researchers without acknowledging the application security firm, which was recently and controversially sanctioned in the US. hole US tech companies sucked into Russian sanctions row READ MORE ERPScan said vulnerabilities it uncovered affect six different business …
John Leyden, 18 Jul 2018
Young man sitting in his new convertible car

Like my new wheels? All I did was squash a bug, and they gave me $72k

Vuln hunters brought home the bacon last year, according to figures released today by bug bounty platform HackerOne. The Hacker-Powered Security Report is a biannual study of vulnerability disclosure ecosystems. It found that organisations resolved 27,000 vulnerabilities, earning ethical hackers $11.7m in 2017 alone. The …
John Leyden, 11 Jul 2018

Make America late again: US 'lags' China in IT security bug reporting

The US is starting to fall well behind China in terms of the speed at which organizations are alerted to reported security vulnerabilities, according to a study out this week by threat intel biz Recorded Future. The US government's National Vulnerability Database (NVD) lags China’s National Vulnerability Database (CNNVD) in …
John Leyden, 20 Oct 2017

UK vuln 'fessing pilot's great but who's going to give a FoI?

A security researcher has welcomed the UK's launch of a vulnerability co-ordination pilot while cautioning that a strategy for handling Freedom of Information requests needs to be developed. The National Cyber Security Centre (NCSC) scheme will focus on handling vulnerabilities that crop up in government-run systems. The …
John Leyden, 22 Mar 2017

WikiLeaks promises to supply CIA's hacking tool code to vendors

WikiLeaks has promised to release software code of CIA hacking tools to tech firms. The promise from chief Wikileaker Julian Assange – now ensconced in Ecuador's London embassy for four and a half years – came on Thursday during a internet-streamed press conference on Vault 7, its recent CIA cyber-weapons documents dump. "We …
John Leyden, 10 Mar 2017

CIA hacking dossier leak reignites debate over vulnerability disclosure

WikiLeaks' dump of CIA hacking tool documents on Tuesday has kicked off a debate among security vendors about whether intel agencies are stockpiling vulnerabilities, and the effect this is having on overall security hygiene. The leaked documents purport to show how the intel agency infiltrates smartphones, PCs, routers, IoT …
John Leyden, 8 Mar 2017
The Register breaking news

Google cyber-knight lances Microsoft for bug-hunter 'hostilities'

Top Google engineer Tavis Ormandy has slammed Microsoft for apparently treating security bug hunters with “great hostility”. He blasted Redmond's behaviour towards those who report vulnerabilities as he publicly revealed a new unpatched security hole in the Windows operating system - a bug that can be exploited to crash …
John Leyden, 28 May 2013
The Register breaking news

Mystery Chrome 0-day exploit to be unveiled in India on Saturday

A Georgian security researcher is due to present details of an unpatched vulnerability in Google's Chrome browser at the Malcon security conference in India over the weekend. Years ago the circumstances of Ucha Gobejishvili's presentation would hardly have raised an eyebrow but that was before Google began offering up to $60, …
John Leyden, 23 Nov 2012
The Register breaking news

ZDI spills beans on 22 zero-day bugs

The Zero Day Initiative (ZDI) has discussed the existence of unpatched flaws in 22 software applications from vendors including Microsoft, CA, EMC, HP and IBM. Advisories from the vulnerability broker giving a broad outline of the flaws and suggesting possible workarounds were published on Monday – at least a full six months …
John Leyden, 9 Feb 2011
The Register breaking news

Big vendors get deadline to fix holes, or face the music

Analysis TippingPoint has upped the ante on vulnerability disclosure by giving vendors six months to fix bugs before it goes public with information on flaws. The intrusion prevention specialist, bought by HP earlier this year, has rewarded security researchers for information about vulnerabilities via its long-running Zero Day …
John Leyden, 9 Aug 2010
The Register breaking news

Spurned security researchers form anti-MS collective

Updated Security researchers irked by how Microsoft responded to Google engineer Tavis Ormany's public disclosure of a zero-day Windows XP Help Center security bug have banded together to form a group called the Microsoft Spurned Researcher Collective*. The group is forming a "union" in the belief that together they will be better …
John Leyden, 6 Jul 2010
The Register breaking news

Data collector threatens scribe who reported breach

A Texas company is threatening to press criminal and civil charges against a Minnesota Public Radio reporter after she uncovered a security lapse that exposed sensitive data for at least 500 people. Bellaire, Texas-based Lookout Services admits that misconfigurations on its website left databases containing names, dates of …
Dan Goodin, 15 Dec 2009
The Register breaking news

Anti-Sec spoof threatens s'kiddie mayhem

Pranksters have latched onto Anti-Sec's quixotic crusade against full disclosure of security vulnerabilities by impersonating the group in a threat to unleash an OpenSSH exploit. The impersonators threatened to release details of an unpatched vulnerability in OpenSSH, followed by worm code hours later. A post on a full …
John Leyden, 20 Jul 2009

Cybercrooks get faster, further and sneakier

Cybercrooks are becoming faster at utilising newly-discovered browser exploits. More than nine in ten of all browser-related exploits occurred within 24 hours of an official vulnerability disclosure, according to a survey by IBM's X-Force security division. The cyber-threat survey, which looked closely at information security …
John Leyden, 29 Jul 2008

Create a news alert about vulnerability disclosure, or find more stories about vulnerability disclosure.

Biting the hand that feeds IT © 1998–2018