Resurrecting DWF

Posted Apr 8, 2021 8:48 UTC (Thu) by Rigrig (subscriber, #105346)
In reply to: Resurrecting DWF by mezcalero
Parent article: Resurrecting DWF

I think there needs to be some verification involved, or you'd soon get botnets "finding" lots of issues with a particular product/vendor.
And even if everyone could somehow filter those out themselves, that is a lot of duplicate effort.

Resurrecting DWF

Posted Apr 8, 2021 21:48 UTC (Thu) by kurtseifried (guest, #57307) [Link]

So one major aspect of this is the quality of data. For example a security vulnerability with a trivial reproducer like the ping of death, well yeah, that's an issue. But what about "Closed source foo crashes during bad TLS handshake"... er... ok.. maybe? Can we have the producer? With OpenSource a lot of this boils down to "function() has a vuln in X, see here in line Y" which makes it trivial to verify, and more often than not the project has already replied with a "yup, that's a vuln", a great example of this is CVE-2021-1000000 with https://github.com/gpac/gpac/issues/1485 as a source, and "fixed, thanks for the report". Basically, it boils down to the quality of data followed by the trust level of the reporter (e.g. if taviso says it's a vuln, it's a vuln) followed by actually spending time validating it, Luckily for most OpenSource vulnerabilities, it's pretty easy.