16 votes

VirtualBox E1000 Guest-to-Host Escape Vulnerability

5 comments

  1. what
    Link
    The author's reasoning for releasing a vulnerability like this is of particular interest (taken from the README):

    The author's reasoning for releasing a vulnerability like this is of particular interest (taken from the README):

    I like VirtualBox and it has nothing to do with why I publish a 0day vulnerability. The reason is my disagreement with contemporary state of infosec, especially of security research and bug bounty:

    1. Wait half a year until a vulnerability is patched is considered fine.
    2. In the bug bounty field these are considered fine:
      1. Wait more than month until a submitted vulnerability is verified and a decision to buy or not to buy is made.
      2. Change the decision on the fly. Today you figured out the bug bounty program will buy bugs in a software, week later you come with bugs and exploits and receive "not interested".
      3. Have not a precise list of software a bug bounty is interested to buy bugs in. Handy for bug bounties, awkward for researchers.
      4. Have not precise lower and upper bounds of vulnerability prices. There are many things influencing a price but researchers need to know what is worth to work on and what is not.
    3. Delusion of grandeur and marketing bullshit: naming vulnerabilities and creating websites for them; making a thousand conferences in a year; exaggerating importance of own job as a security researcher; considering yourself "a world saviour". Come down, Your Highness.

    I'm exhausted of the first two, therefore my move is full disclosure. Infosec, please move forward.

    10 votes
  2. [4]
    Grendel
    Link
    Man, I get why the author is frustrated, but I don't think publishing 0 day exploits to github readmes is gonna fix that. Honestly I feel it hurts the reputation of security researchers more than...
    • Exemplary

    Man, I get why the author is frustrated, but I don't think publishing 0 day exploits to github readmes is gonna fix that. Honestly I feel it hurts the reputation of security researchers more than anything else.

    If a researcher tries to responsibly disclose first and gets no traction then I understand public disclosure, but an attempt should be made. Not all companies ignore this stuff and it's not fair to just assume they will.

    3 votes
    1. [3]
      Eva
      Link Parent
      Responsible disclosure is a trap, honestly, and more or less entirely pushed by the side creating bugs in the first place. Most academic security researchers dislike it and think the same. EDIT:...

      Responsible disclosure is a trap, honestly, and more or less entirely pushed by the side creating bugs in the first place. Most academic security researchers dislike it and think the same.

      EDIT: Caveat, a few, but not most, of the "bigger" organisations like it. This is generally considered to be so because it allows them more leverage against - and makes it less practical to be - a small-scale security researcher.

      6 votes
      1. [2]
        Grendel
        Link Parent
        Isn't the ultimate goal of security research the safety of end users? It's not security for securities sake. If there is even a small chance that a company will patch a vulnerability we have a...

        Isn't the ultimate goal of security research the safety of end users? It's not security for securities sake. If there is even a small chance that a company will patch a vulnerability we have a responsibility to the end users to give them that chance.

        Publicly disclosing 0 days is a last ditch effort to protect users by forcing the company to fix an exploit when the danger of not fixing it outweighs the danger of public disclosure.

        3 votes