Languagesx
English Deutsch
Subscribe
Home Vulnarb.com: A New Approach to Security Disclosures

Vulnarb.com: A New Approach to Security Disclosures

Zed Shaw yesterday unveiled Vulnarb.com, an experimental project to improve the process of responsible security vulnerability disclosure. Today, security researchers have two choices: contact the developers about a vulnerability and wait for them to fix it, or publish the vulnerability for the world to see. Both of these solutions have flaws. Users may be unaware that the products they use have vulnerabilities if it isn’t publicly disclosed, but public disclosure could make them even more vulnerable to exploitation.

Shaw’s plan is to create a public repository of security vulnerabilities. The specifics of the vulnerability will be encrypted and provided only to the company or developers behind a product. The public will know what products have vulnerabilities, but not what the specific vulnerabilities are. Companies or researches can then disclose the vulnerability once it’s been fixed.

“The goal is to provide a market incentive for companies to fix security holes, rather than the current situation where they can sit on them legally for years,” Shaw writes.

They key to making this work is the encryption. If a researcher posts an inaccurate vulnerability, the developers will be able to decrypt the alleged vulnerability and make it public to clear their names.

Here’s how it would work, according to Shaw:


At the moment, the project is in its earliest stages. Shaw is looking for people to test the viability of his plan to use a company’s website’s SSL certificate as a public key. Those interested can contact Shaw through Twitter.


  • Giving researchers tools to upload SSL public key encrypted vulnerability descriptions, which only the SSL private key holders can decrypt.


  • Consumers then can go see which companies and products have vulnerabilities, but not actually know what those vulnerabilities are until the company fixes them.


  • Once the company fixes their product, they can upload the decrypted files to prove they fixed it.


  • If they don’t it’s assumed they haven’t fixed it.


  • If the researcher lies then they’ll easily be exposed by just decrypting their lies for everyone to see.


Shaw is the creator of the Mongrel and Mongrel2 Web servers and the author of Learn Python the Hard Way and the Programming, Mother F*cker manifesto

Photo credit: Circo de Invierno.

About ReadWrite’s Editorial Process

The ReadWrite Editorial policy involves closely monitoring the tech industry for major developments, new product launches, AI breakthroughs, video game releases and other newsworthy events. Editors assign relevant stories to staff writers or freelance contributors with expertise in each particular topic area. Before publication, articles go through a rigorous round of editing for accuracy, clarity, and to ensure adherence to ReadWrite's style guidelines.

tags
klint finley
Contributor

.

Related News

Hackers 'steal Ready or Not developer's source code'. A hooded figure in green digital camouflage, symbolizing a hacker, holds a rifle against a backdrop of binary code.
Hackers ‘steal Ready or Not developer’s source code’
Suswati Basu
AI-inspired image of a team of Chinese hackers in a control room with the flag of China on the wall
Chinese hackers increasingly using AI to interfere in elections – report
Graeme Hanna
Man sat in bedroom on his computer at his desk
‘Millions of Americans affected by Chinese hacking plot’
Sophie Atkinson
Microsoft small-scall atomic reactors
Microsoft details update on Russian-sponsored “ongoing attack”
Graeme Hanna
An image of the Epic Games logo
Epic Games hack update – Epic has no evidence that hack is not a hoax
Paul McNally

Most Popular Tech Stories

Latest News

Baldur's Gate 3's new patch will allow for moderation of the game’s features, including stats, music, and visuals
Gaming

Baldur's Gate 3's latest patch brings more mod support and tools
Brian-Damien Morgan33 mins

Larian Studios has announced that a new Baldur's Gate 3 patch will allow for moderation of the game’s features. Announced in a detailed Steam Community Update post titled “Evil Endings,...

Popular TopicsArrow right.svg

AI
AI
AR / VR
AR / VR
Cryptocurrency
Cryptocurrency
Gaming
Gaming
Smartphone
Smartphone
Gambling
Gambling
Wearables
Wearables
Web
Web

Get the biggest tech headlines of the day delivered to your inbox

    By signing up, you agree to our Terms and Privacy Policy. Unsubscribe anytime.

    Tech News

    Explore the latest in tech with our Tech News. We cut through the noise for concise, relevant updates, keeping you informed about the rapidly evolving tech landscape with curated content that separates signal from noise.

    In-Depth Tech Stories

    Explore tech impact in In-Depth Stories. Narrative data journalism offers comprehensive analyses, revealing stories behind data. Understand industry trends for a deeper perspective on tech's intricate relationships with society.

    Expert Reviews

    Empower decisions with Expert Reviews, merging industry expertise and insightful analysis. Delve into tech intricacies, get the best deals, and stay ahead with our trustworthy guide to navigating the ever-changing tech market.