1-866-PLYNT-24
|
Notarized advisories - new trend in vulnerability disclosure
Halvar Flake sent a mail with two hash values to the Daily Dave mailing list.
Just the hash values, and nothing else.
This is called a notarized advisory. Halvar found a vulnerability or something which he would like to keep a secret. He wrote a paper on it, calculated the hash of the paper and publicized the hash. When he’s ready to let the secret out, say months from now, he can prove that he wrote that paper in Feb 2007 as he had circulated its hash in Feb.
This is the next step in responsible vulnerability disclosure. Don’t publish the exploit, just publish its hash. Share the vuln details only with the vendor. When the vendor releases the patch, he will credit you with the discovery. Months after that when it’s safer, you can release the exploit if you want to. Because you had published the hash 9 months earlier, folks accept that you knew how to exploit it then.
Below is the mail Halvar sent the list.
From: Halvar Flake (HalVar@gmx.de) Date: Mon Feb 05 2007 - 07:11:30 CSTHey all,
for lack of a better place, I would like to post the following hash values:
MD5Sum:
5e5ed3b92b2abbcc1adaa18cc0ca6aafSHA1sum:
FFECBE21E3EC93A5AC2B94889AD2967881398A9CCheers,
Halvar
Plynt provides penetration testing and code review services to clients worldwide. If you are interested, please contact us for a quote. We’ll get back to you within one working day.Add yours.closed for this post.
Monthly Archives
- September 2008
- August 2008
- July 2008
- May 2008
- April 2008
- March 2008
- January 2008
- December 2007
- November 2007
- April 2007
- March 2007
- February 2007
- January 2007
- August 2006
- July 2006
- June 2006
- May 2006
- April 2006
- March 2006
- February 2006
- November 2005
- October 2005
- September 2005
- August 2005
- July 2005
- June 2005
- May 2005
Syndication
You can read full entries of Palisade Blog using an RSS reader. Use this link —