Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

The process isn't clear to me. So the vendor communicates "fixed" to you? Or do I report to the vendor and to you simultaneously using this mechanism, and then I subsequently follow up with you? Does the vendor communicate with me? You? Both of us? How?

What happens in disputed cases? (eg I have reported unsafe calls in signal handlers to be told "no working exploit, no fix"). Now what? I still have to publicly disclose vulns in my own infrastructure to get traction? What have I gained by going to vulnarb? Even assuming consumers consult such a service what can they learn if the details (severity) of the issues is not available?

I don't think I can sell this to my CSO ("there's a guy on the 'net that says I should send him encrypted text of exploits that I've found in our infrastructure"). And for stuff that doesn't touch my day job: what's your sales pitch over ZDI?

I thought the shell script was neat but sorry, I'm not really compelled by your service proposition.

EDIT: your _current_ service proposition ;-)



The vendor indicates "fixed" by posting the decrypted exploit data against their entry in Zed's database.

If the bug was benign in the first place, they can post the decrypted exploit without worrying about it or doing anything.


Even when a bug has been fixed in trunk a vendor may not wish to reveal the details of an exploit (either publicly or "just to zed").

A sensitive researcher may not wish their details of their techniques or findings to be revealed to a wider audience.

For context only (I don't want to do the responsible disclosure debate again...) please consider eg recent bugtraq SCADA announcent or Sockstress.




Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: