The process isn't clear to me. So the vendor communicates "fixed" to you? Or do I report to the vendor and to you simultaneously using this mechanism, and then I subsequently follow up with you? Does the vendor communicate with me? You? Both of us? How?
What happens in disputed cases? (eg I have reported unsafe calls in signal handlers to be told "no working exploit, no fix"). Now what? I still have to publicly disclose vulns in my own infrastructure to get traction? What have I gained by going to vulnarb? Even assuming consumers consult such a service what can they learn if the details (severity) of the issues is not available?
I don't think I can sell this to my CSO ("there's a guy on the 'net that says I should send him encrypted text of exploits that I've found in our infrastructure"). And for stuff that doesn't touch my day job: what's your sales pitch over ZDI?
I thought the shell script was neat but sorry, I'm not really compelled by your service proposition.
What happens in disputed cases? (eg I have reported unsafe calls in signal handlers to be told "no working exploit, no fix"). Now what? I still have to publicly disclose vulns in my own infrastructure to get traction? What have I gained by going to vulnarb? Even assuming consumers consult such a service what can they learn if the details (severity) of the issues is not available?
I don't think I can sell this to my CSO ("there's a guy on the 'net that says I should send him encrypted text of exploits that I've found in our infrastructure"). And for stuff that doesn't touch my day job: what's your sales pitch over ZDI?
I thought the shell script was neat but sorry, I'm not really compelled by your service proposition.
EDIT: your _current_ service proposition ;-)