OSVDB
@OSVDBOpen Sourced Vulnerability Database (OSVDB), now shuttered. Now random vulnerability-related Tweets and discussion.
Similar User
@jduck
@hdmoore
@ToolsWatch
@edskoudis
@SpiderLabs
@netbiosX
@IOActive
@dinodaizovi
@corelanc0d3r
@Carlos_Perez
@brucon
@RonGula
@DarkReading
@attritionorg
@ExploitDB
this maybe the worst modern paper on the subject of vulnerabilities and cyber norms cfr.org/blog/three-mea…
Some of the most egregious findings from a study of the world's 100 largest airports: ▪️100% of the mobile apps contain at least five external software frameworks. ▪️100% of the mobile apps contain at least two vulnerabilities. scmagazine.com/home/security-…
@dvyukov "modest estimation, syzkaller have found more than 1000 security vulnerabilities"
Massive Oracle Patch Reverses Company's Trend Toward Fewer Flaws ow.ly/wGef50xYyFz by @roblemos #Oracle #patching #vulnerabilities #software
The new RCE in Citrix is... a directory traversal?! Goddammit people. Will you ever learn? 😥
We have just released a new tool for exploiting CVE-2019-19781. Our goal was to keep private as long as possible to have a longer window to fix. Other researchers have published the exploit code in the wild already. Cats out of the bag. github.com/trustedsec/cve… #TrustedSec
At Google Project Zero, the team spends a *lot* of time discussing and evaluating vulnerability disclosure policies and their consequences. It's a complex and controversial topic! Here's P0's policy changes for 2020 (with our rationale for the changes): googleprojectzero.blogspot.com/2020/01/policy…
"The products saturating our lives are released in the worst, most broken, untested, and often dangerously flawed forms imaginable. Think Skynet, but a dumbass."
New by me, with incredible art by @KorenShadmi and @eveb starring in the opener: engadget.com/2019/12/31/hom…
Dept Homeland Security Pitches Cyber Vulnerability Disclosure Policy - bit.ly/2tZKbly
If you are depressed this Christmas, just remember that one inebriated developer committed the heartbleed vulnerability to OpenSSL during their festivities, always check those late at night new year's eve open-source commits!
And @cvenew is still publishing IDs that do not have provenance of the vulnerability. This should be a serious concern to anyone that works with vulnerability intelligence.
Shout out to the wonderful Dependency-Track community who contributed feedback and code to make this release possible. Care about #SoftwareSupplyChain and want to get involved in this #opensource project? We’re always looking for quality contributions. github.com/DependencyTrac…
@OWASP Dependency-Track v3.7 now available. This release includes: - Support for internal components - Increased precision of CPE analysis - SVG badge improvements - Hex repo support for #Erlang and #ElixirLang - Bug fixes docs.dependencytrack.org/2019/12/16/v3.… #SBOM #SoftwareSupplyChain
It’s a poorly kept secret that some great Android 0days come from upstream patches. CVE fixes in mainline don’t always make it into Android, so it’s free vuln research.
New guidance on Linux-stable Merges for Android: source.android.com/devices/archit… -- looks positive, reducing the patch gap for upstream kernel security bugs is really important. The window of exposure for publicly known issues is too long at the moment.
Bug bounty reports be like: I've got arbitrary vibration execution on any cell phones if I know as little as a phone number
There's a "security.txt" proposal to IETF (the RFC ppl) for a robots.txt-like way for researchers to contact website owners about vulns. Comment needed ASAP, and anybody can comment via email! Personally I'm for @securitytxt Make vuln reporting easier! mailarchive.ietf.org/arch/msg/ietf-…
TFW vendors tag vulnerabilities you reported in open source commits/changelog/issues, but still haven't released an updated version of their software for 2 months after the fact.
Linux ProTip: sysctl -a | grep rp_filter If any values are 2, you may be vulnerable to hijacked VPN(OpenVPN/IPSec/Wireguard/etc) tunnels. Set rp_filter to 1 please. Ref: CVE-2019-14899 #stayfrosty #linux #vpn #security #networks
I wanted to fully test this “Responsible Disclosure” theory so I submitted a one click RCE in Microsoft Teams to #msrc on Sep 01, 2018. It is still open. The disclosure policy of @taviso and others gets bugs fixed. This does not.
Summary: ✅Yes PoC helps bad people do bad things faster ✅Defenders need the PoC more than the attackers do, even though both sides are helped by its release ✅Giving defenders even slight edges over the majority of criminal attackers is net good ✨Non disclosure is far worse
Tired of S3 buckets getting created as public? I put together a Python script that can go into a Lambda function that closes them. I've found this helpful for environments where S3 buckets don't need to be public within an AWS account. #AWS github.com/hackersifu/s3l…
$iot->burn($garbage); # Periodic reminder that IOT is terrible. Reversing a phone firmware, after unpacking the proprietary blob I find a bug that was previously reported 4 years ago. Tracking the supply chain, I am now 3 deep. We need software BOMs and reproducible builds ASAP
United States Trends
- 1. #FridayVibes 6.526 posts
- 2. $MAD 5.531 posts
- 3. Good Friday 62,9 B posts
- 4. Mike Rogers 130 B posts
- 5. CONGRATULATIONS JIMIN 299 B posts
- 6. #FridayMotivation 10,9 B posts
- 7. Pam Bondi 315 B posts
- 8. Happy Friyay 2.623 posts
- 9. Jason Kelce 1.519 posts
- 10. #FridayFeeling 3.385 posts
- 11. #KashOnly 69,1 B posts
- 12. McCabe 23,9 B posts
- 13. Finally Friday 3.286 posts
- 14. #FursuitFriday 12,6 B posts
- 15. Randle 7.356 posts
- 16. Chris Brown 30,2 B posts
- 17. Jameis 70,2 B posts
- 18. Kang 36,5 B posts
- 19. Mnet 409 B posts
- 20. St. Cecilia 1.473 posts
Who to follow
-
Joshua J. Drake
@jduck -
HD Moore
@hdmoore -
NJ
@ToolsWatch -
edskoudis
@edskoudis -
SpiderLabs
@SpiderLabs -
Panos Gkatziroulis 🦄
@netbiosX -
IOActive, Inc
@IOActive -
Dino A. Dai Zovi
@dinodaizovi -
ς๏гєɭคภς0๔3г ([email protected])
@corelanc0d3r -
Darkoperator | 🇺🇦
@Carlos_Perez -
BruCON
@brucon -
Ron Gula
@RonGula -
Dark Reading
@DarkReading -
jericho
@attritionorg -
Exploit Database
@ExploitDB
Something went wrong.
Something went wrong.