Notarized advisories - new trend in vulnerability disclosure

By Paladion

February 9, 2007

Halvar Flake sent a mail with two hash values to the Daily Dave mailing list.
Just the hash values, and nothing else.
This is called a notarized advisory. Halvar found a vulnerability or something which he would like to keep a secret. He wrote a paper on it, calculated the hash of the paper and publicized the hash. When he's ready to let the secret out, say months from now, he can prove that he wrote that paper in Feb 2007 as he had circulated its hash in Feb.
This is the next step in responsible vulnerability disclosure. Don't publish the exploit, just publish its hash. Share the vuln details only with the vendor. When the vendor releases the patch, he will credit you with the discovery. Months after that when it's safer, you can release the exploit if you want to. Because you had published the hash 9 months earlier, folks accept that you knew how to exploit it then.
Below is the mail Halvar sent the list.

From: Halvar Flake (
Date: Mon Feb 05 2007 - 07:11:30 CST
Hey all,
for lack of a better place, I would like to post the following hash values:

Tags: Uncategorized