Open Sourced Vulnerability Database (OSVDB), now shuttered. Now random vulnerability-related Tweets and discussion.
Joined January 2009
- Tweets 5,831
- Following 17
- Followers 6,637
- Likes 4
89 Photos and videos
OSVDB retweeted
15 Mar 2020
this maybe the worst modern paper on the subject of vulnerabilities and cyber norms cfr.org/blog/three-measures-…
1
3
9
OSVDB retweeted
9 Feb 2020
Some of the most egregious findings from a study of the world's 100 largest airports:
▪️100% of the mobile apps contain at least five external software frameworks.
▪️100% of the mobile apps contain at least two vulnerabilities.
scmagazine.com/home/security…
1
20
10
OSVDB retweeted
17 Jan 2020
Massive Oracle Patch Reverses Company's Trend Toward Fewer Flaws ow.ly/wGef50xYyFz by @roblemos #Oracle #patching #vulnerabilities #software
5
4
The new RCE in Citrix is... a directory traversal?! Goddammit people. Will you ever learn? 😥
11 Jan 2020
We have just released a new tool for exploiting CVE-2019-19781.
Our goal was to keep private as long as possible to have a longer window to fix.
Other researchers have published the exploit code in the wild already. Cats out of the bag.
github.com/trustedsec/cve-20…
#TrustedSec
5
36
111
OSVDB retweeted
7 Jan 2020
At Google Project Zero, the team spends a *lot* of time discussing and evaluating vulnerability disclosure policies and their consequences. It's a complex and controversial topic!
Here's P0's policy changes for 2020 (with our rationale for the changes):
googleprojectzero.blogspot.c…
4
162
505
OSVDB retweeted
31 Dec 2019
"The products saturating our lives are released in the worst, most broken, untested, and often dangerously flawed forms imaginable. Think Skynet, but a dumbass."
31 Dec 2019
New by me, with incredible art by @KorenShadmi and @eveb starring in the opener: engadget.com/2019/12/31/home…
6
6
Dept Homeland Security Pitches Cyber Vulnerability Disclosure Policy - bit.ly/2tZKbly
1
OSVDB retweeted
24 Dec 2019
If you are depressed this Christmas, just remember that one inebriated developer committed the heartbleed vulnerability to OpenSSL during their festivities, always check those late at night new year's eve open-source commits!
3
63
261
OSVDB retweeted
24 Dec 2019
And @cvenew is still publishing IDs that do not have provenance of the vulnerability. This should be a serious concern to anyone that works with vulnerability intelligence.
1
2
OSVDB retweeted
12 Dec 2019
It’s a poorly kept secret that some great Android 0days come from upstream patches. CVE fixes in mainline don’t always make it into Android, so it’s free vuln research.
11 Dec 2019
New guidance on Linux-stable Merges for Android: source.android.com/devices/a… -- looks positive, reducing the patch gap for upstream kernel security bugs is really important. The window of exposure for publicly known issues is too long at the moment.
2
19
64
OSVDB retweeted
13 Dec 2019
There's a "security.txt" proposal to IETF (the RFC ppl) for a robots.txt-like way for researchers to contact website owners about vulns. Comment needed ASAP, and anybody can comment via email! Personally I'm for @securitytxt. Make vuln reporting easier! mailarchive.ietf.org/arch/ms…
4
9
OSVDB retweeted
5 Dec 2019
Linux ProTip: sysctl -a | grep rp_filter If any values are 2, you may be vulnerable to hijacked VPN(OpenVPN/IPSec/Wireguard/etc) tunnels. Set rp_filter to 1 please. Ref: CVE-2019-14899 #stayfrosty #linux #vpn #security #networks
23
24
OSVDB retweeted
30 Nov 2019
Summary:
✅Yes PoC helps bad people do bad things faster
✅Defenders need the PoC more than the attackers do, even though both sides are helped by its release
✅Giving defenders even slight edges over the majority of criminal attackers is net good
✨Non disclosure is far worse
10
59
172
OSVDB retweeted
11 Nov 2019
Tired of S3 buckets getting created as public? I put together a Python script that can go into a Lambda function that closes them. I've found this helpful for environments where S3 buckets don't need to be public within an AWS account. #AWS
github.com/hackersifu/s3lock…
3
16
51
OSVDB retweeted
20 Nov 2019
$iot->burn($garbage); # Periodic reminder that IOT is terrible. Reversing a phone firmware, after unpacking the proprietary blob I find a bug that was previously reported 4 years ago. Tracking the supply chain, I am now 3 deep. We need software BOMs and reproducible builds ASAP
1
8
OSVDB retweeted
16 Nov 2019
After some peer discussion, I've decided to follow Google's timeline for disclosure of vulnerabilities being publicly exploited in the wild, which is 7 days. I have the advisory written up and will disclose on November 20th, unless @KeybaseIO wishes to engage further
1
7
28
OSVDB retweeted
16 Nov 2019
I'm assuming the lack of follow up form @KeybaseIO means I can chat about the issue I reported to them that they don't think is a big deal. I'm gonna have to write this one up
2
9
49