back to article Most vulnerabilities first blabbed about online or on the dark web

More than three-quarters of vulnerabilities are publicly reported online before National Vulnerability Database publication. News sites, blogs and social media pages as well as more remote areas of the web including the dark web, paste sites, and criminal forums first published bugs more often than NIST's1 centralised National …

  1. Anonymous Coward
    Anonymous Coward

    Why?

    Because everyone wants to be the bearer of news. A database update just doesn't cut it.

  2. samuri

    Man selling threat intelligence service highlights dangers of not using a threat intelligence service

  3. patrickstar

    Uhm... The really good bugs are generally sold for gazillions of dollars, sometimes literally years before they are made public. Noone would post their high-value discovery on Pastebin, or even discuss it outside very closed circles.

    This seems to be about leakage once the bug is re-discovered by someone with more noble intentions (perhaps when said person was getting hacked to pieces with it).

  4. John Smith 19 Gold badge
    Unhappy

    "a proactive and risk-based approach to addressing vulnerabilities, "

    I'm guessing the company that did the survey provides such a service.

    But you could start by seeing what ports on what PC's can be seen by the outside world.

    If a port is open, why is it open and who opened it?

    Setting up a patch testing PC(s) to find out if they will break anything, but otherwise keeping all patches on all SW up to date.

    Making sure your backups do actually backup stuff by restoring from them, preferably from an end-of-day and before the start of the next business day, so no one actually looses anything.

    Otherwise is this an actual delay in notification or is it a delay between informing who maintains the CVE and the CVE being updated for it to be visible?

  5. Your alien overlord - fear me

    How long does it take for a NSA used 'bug' to become public and fixed? I doubt days :-)

  6. Outer mongolian custard monster from outer space (honest)

    Here's the thing, sometimes if you find a really bad bug and disclose direct to the vendor, its patched quietly and you get no credit for your hard work (or with new changes the spooks get to sit on it unfixed instead and you have a silencing order slapped on you it seems from something the other day).

    Sometimes, thats what the client who's paying for you wants, but only sometimes, and some people feel the need to build a reputation.

    I was part of a team that found many bugs and security issues in products testing new kit over the years, and only on one occasion did we get a mention in the vendor's patch notes thanking or mentioning us, and then because the finder in our team explicitly asked them to, in prep to seed his name into searches ready to escape the role to a wider world.

  7. Stevie

    Bah!

    Big surprise. Not.

  8. Anonymous Coward
    Anonymous Coward

    Many bugs never get CVEs

    Apple is the only company I'm aware of (if there are others, let me know) that files a CVE for each individual bug, including all the ones they discover themselves. Many companies only file CVEs for externally discovered bugs, or file a single CVE for a whole module (i.e. one CVE for a dozen different browser vulnerabilities)

    That makes it hard to compare, since if you have a single CVE for multiple bugs the time to fix is for the slowest bug of the bunch. And if internally discovered bugs are left out of the CVE system you don't know if they're just ignoring them until someone outside finds them. Yeah, stupid policy, but we've all heard of plenty of examples where that happened.

  9. NonSSL-Login
    Coat

    NSA hoovering 0days in mass surveillance

    The 3 and 4 letter agencies mirroring all backbone traffic will get to know about the exploit extremely quickly after it is used on the internet the first time and also have the payload in the captured packets.

    Personally I like to think that vulnerability researchers tell the world asap so as to burn it for those agencies.

    I'm allowed to dream about a perfect world...

    1. patrickstar

      Re: NSA hoovering 0days in mass surveillance

      It's kinda hard to pick up 0days from traffic surveillance. I mean, the whole point of a bug being 0day is that it's unknown, so you don't know what to look for.

      I'd expect them to have triggers for various patterns they have encountered in exploits from various groups however (payloads etc).

      A bigger problem for them would be the fact that quite a bit of traffic is encrypted nowadays. If you are hacking a web server over SSL it's not gonna be distinguishable from any other web traffic to an outside observer unless you screw up and have your payload connect back unencrypted or something like that (but that wouldn't yield any immediate information about the vulnerability, just the knowledge that there is SOMETHING vulnerable on the server).

  10. amanfromMars 1 Silver badge

    More of the same please, but different is better

    As much as you may like to think things can change for the better, is there always this base opportunity and premium vulnerability to sow and harvest reward and bounty from ......

    Reports that say that something hasn't happened are always interesting to me, because as we know, there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns — the ones we don't know we don't know. And if one looks throughout the history of our country and other free countries, it is the latter category that tend to be the difficult ones. ...... Donald Rumsfeld

    And every day if you can do something oddly different and share it wwwidely, is IT exciting and even terrifying.

    Have a nice day, y'all, and ffs live a little, do something different and exciting.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like