Security News

Oxeye security researchers have uncovered several new high severity variants of the IDOR vulnerabilities in CNCF-graduated project Harbor, the popular open-source artifact registry by VMware. Harbor is an open-source cloud native registry project that stores, signs, and scans content.

About 40 percent of industry professionals say their organizations have reduced their usage of open source software due to concerns about security, according to a survey conducted by data science firm Anaconda. About 33 percent of commercial respondents said they had not scaled back on open source, 7 percent said they had increased usage, and 20 percent said they weren't sure.

Google's open source security team says OSS-Fuzz, its community fuzzing service, has helped fix more than 8,000 security vulnerabilities and 26,000 other bugs in open source projects since its 2016 debut. The group would like to see open source developers do more fuzzing to make the world a better place, or at least make software a bit more secure.

The source code of a remote access trojan dubbed 'CodeRAT' has been leaked on GitHub after malware analysts confronted the developer about attacks that used the tool. More specifically, CodeRAT supports about 50 commands and comes with extensive monitoring capabilities targeting webmail, Microsoft Office documents, databases, social network platforms, integrated development environment for Windows Android, and even individual websites like PayPal.

Google wants to improve the security of its open source projects and those projects' third-party dependencies by offering rewards for bugs found in them. Google offers rewards for bugs in its open source software.

Google on Monday introduced a new bug bounty program for its open source projects, offering payouts anywhere from $100 to $31,337 to secure the ecosystem from supply chain attacks. Called the Open Source Software Vulnerability Rewards Program, the offering is one of the first open source-specific vulnerability programs.

A vulnerability assessment is a methodical examination of network infrastructure, computer systems, and software with the goal of identifying and addressing known security flaws. Usually, the vulnerability scanning tool also provides instructions on how to remediate or mitigate the discovered flaws.

Google has created a bug bounty program that will reward those who find and report vulnerabilities in its open-source projects, thereby hopefully strengthening software supply-chain security. The Open Source Software Vulnerability Rewards Program will pay bug hunters between $100 and $31,337, with the highest payments going to "Unusual or particularly interesting vulnerabilities," according to Googlers Francis Perron, open source security technical program manager, and infosec engineer Krzysztof Kotowicz.

Google will now pay security researchers to find and report bugs in the latest versions of Google-released open-source software.The company's newly announced Vulnerability Reward Program focuses on Google software and repository settings.

This type of analysis may reveal to malware analysts not only what the malware does, but also its developer's future intentions. All the malware analysis tools listed below can be freely downloaded and used.