- Hands-On Bug Hunting for Penetration Testers
- Joseph Marshall
- 431字
- 2021-07-16 17:53:06
ZeroDisclo and Coordinated Vulnerability Disclosures
If you've discovered a serious, high-profile vulnerability affecting critical services on a large scale, it's important to be aware of certain quirks about coordinated vulnerability disclosures.
Coordinated vulnerability disclosure is a set of protocols around report submissions that describe a process where the reporter of a vulnerability, the vendor of the component containing the vulnerability, and any third parties (including other companies that use those vulnerable components) come together to coordinate on fixing the issue and disclosing its existence to the general public.
One possible third party in this arrangement is companies such as ZeroDisclo, which we mentioned earlier is also associated with the European company YesWeH4ck (and BountyFactory). Here's an excerpt from ZeroDisclo's website describing their services:
Discoverers of vulnerabilities often experience difficulties on how to report them to the organizations concerned without disclosing them to a third party and unfortunately direct contact with companies constitutes a legal risk.
A long-time partner of the security research community through its founders, YesWeHack is proud to present https://zerodisclo.com/. This non-profit platform provides the technical means and the required environment for all to adopt the coordinated reporting of vulnerabilities commonly known as Coordinated Vulnerability Disclosure.
In this case, if a researcher found a serious vulnerability for a core internet service (that is, JavaScript) but didn't know who to report it to or (more likely) feared legal retribution from an affected company, they could visit ZeroDisclo, either through HTTPS or TOR, and fill out a form describing the nature of their vulnerability and its technical details. Then ZeroDisclo would vet the submission and report it to the affected parties while keeping the original discoverer of the vulnerability anonymous.
If you choose to do this, be careful because you could be breaking program policy. The Internet bug bounty Program, discussed in the preceding section, has a specific question in its FAQs dedicated to using third-party brokers:
No. It is unacceptable to share the vulnerability with anyone without the explicit consent of the security team.
Make sure you consider all your options before submitting through a third-party broker. If you decide to use one, take preventative efforts to stay anonymous, such as submitting through TOR, to protect yourself.
- API安全實戰
- 零信任網絡:在不可信網絡中構建安全系統
- INSTANT Metasploit Starter
- Mastering Kali Linux for Advanced Penetration Testing
- 數據安全實踐指南
- Kali Linux Network Scanning Cookbook(Second Edition)
- Learning Devise for Rails
- 解密彩虹團隊非凡實戰能力:企業安全體系建設(共5冊)
- Kerberos域網絡安全從入門到精通
- 數據安全領域指南
- Mastering Reverse Engineering
- 網絡安全態勢感知
- 網絡用戶行為的安全可信分析與控制
- Disaster Recovery Using VMware vSphere Replication and vCenter Site Recovery Manager
- Kali Linux高級滲透測試(原書第4版)