Security News > 2023 > November > Open-source vulnerability disclosure: Exploitable weak spots

Flaws in the vulnerability disclosure process of open-source projects could be exploited by attackers to harvest the information needed to launch attacks before patches are made available, Aqua Security researchers worry.

"Half-day" vulnerabilities are known to the maintainer and information about them is publicly exposed on GitHub or the National Vulnerability Database, but there's still no official fix.

"0.75-day" vulnerabilities have an official fix, but not a CVE number or a CPE identifier, which means that vulnerability scanning tools can't detect the vulnerable component in the organizations' environment and security teams are not aware they need to implement it.

"Attackers can harvest any indicators of a new vulnerability being formed or disclosed on public platforms. Utilizing messages and meta-data found in pull requests, commits and issues the attackers can locate references to the vulnerable code, use reported proof of concept and even write their own exploit," security researchers Ilay Goldman and Yakir Kadkoda explained.

Sometimes the period of time between a vulnerability switching from 0-day to 1-day status is short and the risk of attackers finding the publicly available information neccessary to create and leverage an exploit during it is small.

Creating a responsible disclosure policy that outlines a secure process for vulnerability management Leveraging GitHub's private reporting feature to manage vulnerabilities discreetly.

News URL

https://www.helpnetsecurity.com/2023/11/09/open-source-vulnerability-disclosure-process-flaws/