Notarized advisories - new trend in vulnerability disclosure

Paladion
By Paladion

February 9, 2007

Halvar Flake sent a mail with two hash values to the Daily Dave mailing list.
Just the hash values, and nothing else.
This is called a notarized advisory. Halvar found a vulnerability or something which he would like to keep a secret. He wrote a paper on it, calculated the hash of the paper and publicized the hash. When he's ready to let the secret out, say months from now, he can prove that he wrote that paper in Feb 2007 as he had circulated its hash in Feb.
This is the next step in responsible vulnerability disclosure. Don't publish the exploit, just publish its hash. Share the vuln details only with the vendor. When the vendor releases the patch, he will credit you with the discovery. Months after that when it's safer, you can release the exploit if you want to. Because you had published the hash 9 months earlier, folks accept that you knew how to exploit it then.
Below is the mail Halvar sent the list.

From: Halvar Flake (HalVar@gmx.de)
Date: Mon Feb 05 2007 - 07:11:30 CST
Hey all,
for lack of a better place, I would like to post the following hash values:
MD5Sum:
5e5ed3b92b2abbcc1adaa18cc0ca6aaf
SHA1sum:
FFECBE21E3EC93A5AC2B94889AD2967881398A9C
Cheers,
Halvar


Tags: Uncategorized

About

Paladion

SUBSCRIBE TO OUR BLOG

Buyers-Guide-Collateral

WHITEPAPER

Buyer’s Guide to Managed Detection and Response

Download
MDR

Get AI Powered

Managed Detection and Response

MDR-learmore-btn

 

MDR-Guide-Collateral

REPORT

AI-Driven Managed Detection and Response

Download Report
Episode

EPISODE-25

Red-LineAsset-6

Why Your ‘Likes’ on Facebook May Be Revealing Far More than You Thought

Click URL in the Post for the Full Podacst
  • FacebookAsset
  • LinkedinAsset
  • TwitterAsset