Re: [Full-disclosure] unreliable vulnerability reports en-masee [was:Re: vulnerability in Symantec products]

Gadi Evron wrote:

Nothing really surprises me anymore. The quality of advisories and QA
people do seems to be dropping, especially when it comes to File
Inclusions. The level of false positives posted in the last couple of
weeks is staggering.

Folks use Google Code Search to find vulns, and don't notice they are
fixed 3 lines above the "bug" and that three lines below, there is
another one.

Last week, one of these File Inclusion vulns worked only if you
disabled two security functions that work by default...

Up to this day, vulnerabilities and exploits would be researched to a
level, and released AS-IS. This is fast becoming impracticle.

If the S/N ratio of ADVISORIES rather than ML traffic becomes even
lower
due to unreliable submissions, our jobs will indeed become much, much
harder.

:) Perhaps the antisec/bantown crew have developed a new strategy to try
and shut-down FD by flooding it with useless-but-valid-seeming information?
Just as spammers have moved on from random hashbuster strings to including
chunks of real english text from news reports and books, so the antisec
posters have moved on from furry pr0n and gay lames to real-yet-wrong bug
reports. Subtle, you'll never get even a really good bayesian filter to
discriminate between valid and bogus bug reports!

cheers,
DaveK
--
Can't think of a witty .sigline today....



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Relevant Pages

  • [Un] Unangband 0.6.1 beta 6 released
    ... I\'ve had lots of bug reports and feedback, as well as a winning character since ... if the value on the damage dice roll is less ... Fixed bug when describing sense item effect. ...
    (rec.games.roguelike.angband)
  • Re: kernel bugzilla is FPOS (was: Re: "buggy cmd640" message followed by soft lockup)
    ... Andrew is going through all new bug reports. ... People like Natalie or me also go through new bug reports. ... You can always ask on the list, pointing to the Bugzilla entry in question. ...
    (Linux-Kernel)
  • Re: Delphi makes it to digg!
    ... No, I don't mean here 'names', but from our small experience we found that the best 'field test' is the one who have users from all user levels: ... someone will send you good reports from graphics area. ... for the community to identify and promote issues into the internal bug ... community to use QC, it needs to clearly know that they will have something to gain from there. ...
    (borland.public.delphi.non-technical)
  • Re: kernel bugzilla is FPOS (was: Re: "buggy cmd640" message followed by soft lockup)
    ... Andrew is going through all new bug reports. ... People like Natalie or me also go through new bug reports. ... area without a maintainer looking after the bug. ... You can always ask on the list, pointing to the Bugzilla entry in question. ...
    (Linux-Kernel)
  • BDS needs more bugs fixed
    ... none of the reports I have been interested in have ever been fixed. ... Near the top of this page they have a section "Higher Performance and Better Quality" that says "Over 500 bug reports tracked by our internal system have been fixed in this release. ... Furthermore, the user who reported the problem was still using BCB 6, and he didn't get an update or hotfix, so this issue is not resolved for him unless he pays for an update to BDS 2006 and installs update 2. ... it is a fix for a cosmetic issue only. ...
    (borland.public.delphi.non-technical)