You are viewing a read-only archive of the Blogs.Harvard network. Learn more.
Skip to content

Data Point on Vulnerability Research

From the Sun Java .gif parsing vulnerability

— Disclosure Timeline:
2006.06.16 – Vulnerability reported to vendor
2006.12.18 – Digital Vaccine released to TippingPoint customers
2007.01.16 – Coordinated public release of advisory

— Credit:
This vulnerability was discovered by an anonymous researcher.

This vulnerability existed on the internet for half a year before a patch was issued. What are the chances that certain sites were serving out this exploit? I recently investigated an adult chat site that used a java client and was flagged for serving out other malware. I’m not making any claims here but throwing out some questions.

Also the credit is interesting to me. In the past credit was very much like academic citations. Researchers didn’t get paid for their work (just like academics don’t get paid to publish in journals) but receive a citation in the advisory. At worst one would create a handle and use that for advisories.

Post a Comment

You must be logged in to post a comment.