Security News

GRIMM launches Private Vulnerability Disclosure program to allow defenders to get ahead of the unknown
2021-03-30 02:00

GRIMM announced the launch of the company's new Private Vulnerability Disclosure program. This offering allows defenders to get ahead of the attack curve, instead of reacting to unknown threats, by providing previously unknown vulnerabilities.

Report: US Gov Executive Order to Mandate Data Breach Disclosure
2021-03-26 16:54

A proposed executive order would set new rules on the disclosure of data breaches that also affect United States government agencies, according to a Reuters news report. The report said the executive order, which could be released as soon as the next week, would require software vendors to notify U.S. government customers of cyber-security breaches that also affect them.

The perils of non-disclosure? China 'cloned and used' NSA zero-day exploit for years before it was made public
2021-02-23 00:50

A zero-day exploit said to have been developed by the NSA was cloned and used by Chinese government hackers on Windows systems years before the cyber-weapon was leaked online, it is claimed. Check Point put out a report on Monday digging into Chinese malware it calls Jian, and argues persuasively this particular software nasty was spawned sometime around 2014 from NSA exploit code that eventually leaked online in 2017.

2020 vulnerability disclosures on track to exceed those from 2019
2021-02-12 04:30

2020 vulnerability disclosures are on track to exceed 2019 despite a sharp decrease of 19.2% observed earlier in the year, according to Risk Based Security. Despite the initial disruption from COVID-19, the trend of total number of vulnerabilities suggests that business operations and routines have normalized as the gap has closed to 0.98%. "2020 could be titled 'The Great Catch-up'. We saw an incredible drop of 19.2% in Q1, but with each subsequent quarter that massive gap steadily closed," commented Brian Martin, VP of Vulnerability Intelligence at Risk Based Security.

2020 to reach vulnerability disclosure levels similar to those in 2019
2020-12-10 05:00

The number of vulnerability disclosures is back on track to reach or bypass 2019 as we head into 2021, according to Risk Based Security. Earlier in 2020 that gap was instead a sharp decline of 19.2%. "At the end of Q1 this year, we saw what appeared to be a sharp decline in vulnerability disclosures as compared to 2019, dropping by 19.2%. Statistically that is huge," commented Brian Martin, VP of Vulnerability Intelligence at Risk Based Security.

The effectiveness of vulnerability disclosure and exploit development
2020-11-19 06:00

New research into what happens after a new software vulnerability is discovered provides an unprecedented window into the outcomes and effectiveness of responsible vulnerability disclosure and exploit development. The analysis of 473 publicly exploited vulnerabilities challenges long-held assumptions of the security space - namely, disclosure of exploits before a patch is available does not create a sense of urgency among companies to fix the problem.

Information Disclosure, XSS Vulnerabilities Patched in Drupal
2020-09-17 14:39

Several information disclosure and cross-site scripting vulnerabilities, including one rated critical, have been patched this week in the Drupal content management system. The most serious of the flaws is CVE-2020-13668, a critical XSS issue affecting Drupal 8 and 9.

UK's NCSC Publishes Guide to Implementing a Vulnerability Disclosure Process
2020-09-16 07:21

The U.K.'s National Cyber Security Center has released a guide to help organizations get started with implementing a vulnerability disclosure process. A well-defined vulnerability disclosure program, NCSC argues, prevents reputational damage that public disclosure may cause, and allows companies not only to establish a way to take action on the identified vulnerabilities, but also to inform the reporting entity that the issue is being managed.

It’s No ‘Giggle’: Managing Expectations for Vulnerability Disclosure
2020-09-11 19:18

"Facebook's VDP addresses vulnerabilities of third parties, which helps to normalize vulnerability disclosure," security researcher and bug-hunter Mike Takahashi told Threatpost. While the VDP moves are net positives for cybersecurity, the juxtaposition of VDP rollouts with Giggle issue shows that VDPs aren't simply a blanket golden ticket to a harmonious vendor-researcher relationship, researchers noted.

Vulnerability Disclosure: Ethical Hackers Seek Best Practices
2020-09-04 16:55

The process of vulnerability disclosure has improved over the years, but still too many security researchers face threats when trying to report bugs. Disclosure policies that give ethical hackers clear guidelines are vast and varied and are seldom universally followed, which adds to the friction between researchers and vendors.