New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
secunia.com
Thanks. To be honest, I'm looking more for a 0-day site where folks submit what they find and it gets published to the site. Not one where its a corporation doing the announcements.
Got to admit that I'm impressed about the elgg announcement:
http://secunia.com/advisories/45596/
Thanks though.
Honestly speaking any site that publishes 0-day vulnerability for public consumption is doing Wrong. Publishing 0-day vulnerability can expose millions of users to great risk.
Imagine somebody finds a 0-day vulnerability in OpenSSH and then publishes on a site. Within a day or two we may find our boxes getting hacked by others.
It's always ethical to allow the Software Vendor to study and work on the bug first, then fix it and only then publish that vulnerability for public scrutiny.
Only way you can get such information at the earliest is to scan through underground sites. Sorry I can't help on that. :P
Actually contacting the publisher first is usually a requirement before publishing occurs.
At least it always was on the ones that I viewed. That elgg writeup is a good example of how these sites operate. You'll note that the developer was contacted first and the newer version is listed as being not a problem:
http://lostmon.blogspot.com/2011/08/elgg-18-beta2-and-prior-to-1711.html
Most 0-day exploits are actually reverse engineered from latest patches of commonly used software. There is usually a window between the latest patch gets published, and installations being updated. Sometimes it can be quite a large window depending on how lazy the sysadmin is, which allows those 0-day exploits to execute.
I have no idea where you look for that sort of information beyond what appears on the usual big-name mailing lists, but are you sure you're looking for "zero-day" vulnerabilities? It sort of sounds like you're describing standard vulnerability advisories.
Zero-day by definition precedes a patch, and if there was developer/publisher notification, the developer/publisher must have ignored it or really dragged their feet over it to lead to a zero-day publication after said notification.
As LEA says, most would go for the low-hanging fruit of exploits written for announced vulnerabilities with patches available but hopefully unapplied. But technically those aren't "zero-day" exploits, they're "n-day" exploits with a small value of n.
You might be interested in subscribing to the Full Disclosure and Bugtraq mailing lists (available at seclists.org).
If a whitehat has found the vulnerability, chances are pretty good that a blackhat has also found the vulnerability, and is actively exploiting it. And who knows how long it's going to take for the vendor to patch it? I'd much rather find out that a vulnerability has been found, even if there's not a patch available yet, because I can then take the necessary precautions myself - switch to a different sshd in your example, restrict access to the page with the vulnerability in a web application, write an IPS rule to detect the attack and drop the packets, etc.