Join us at RSA conference 2019  San Francisco, March 4-8

So You Found A Security Bug – Now What?

Security vulnerabilities are discovered, reported and fixed every day.  But how can we more easily learn about them, and how can the white-hat hackers that find them keep their finds organized? “I prefer a world where I have all the information I need to assess and protect my own security,” Bruce Schneier wrote in an essay on Full Disclosure in 2007. It’s a need the industry is still working out.

Big issues are usually reported, a perfect example being the Heartbleed OpenSSL vulnerability, but the small flaws go unnoticed by most – and that’s a big problem. Security researcher and auditor Sergey Belov is trying to help mend the gap between securities bugs and the general public with his new site,

Belov, a senior security auditor at ERPScan, got his own knack for hacking 9 years ago after successfully scanning his dial up network for shared, public files. Since then, he’s been hacking  participated in various Capture the Flag competitions, including making it to the CTF DEF CON Las Vegas finals in 2012 and won the Russian CTF competition Chaos Constructions last year. He’ll be co-leading a training session at this years’ Black Hat USA on Enterprise Business Application Security Defense.

Belov started the site after encountering the problem of submitting vulnerabilities to different site owners and losing track of them. He wanted a place where friends, vulnerability testers, and people interested in security could share their recent exploits and previously-discovered flaws in one place.

Dissatisfied with the current options, Belov set out to build his own, aptly-named site. The main goal of BugsCollector, Belov says, is to collect and share web security breaches, vulnerabilities and tricks from security researchers around the world. His plan for BugsCollector’s future is to create a platform where vendors can receive bugs from researchers in cases where he or she can’t get in touch with the organization, a popular occurrence, Belov says.

A New Era for Responsible Disclosure?

Full disclosure is the socially responsible thing to do, and, as Bruce Schneier wrote “a damn good idea.” It’s about time there is better organization in it. Many organizations – eBay, PayPal, Facebook, and Google just to name a few – offer bug bounties and hall of fame listings for the researchers who successfully find and disclose bugs on these monstrous sites, but most anything else is found – and promptly forgotten.

Its clear researchers want more than their name up on a site and some money for the bugs they find – they’re looking to discuss, comment and share with each other. The popular mailing list Full Disclosure was closed last month and then immediately re-opened under a new administrator, but isn’t necessarily the best facilitator for real conversations. It’s obvious there’s a real need for a central yet uncensored place to collect and share vulnerabilities the thousands of security researchers around the world find every day.

We’re at a crossroads with responsible disclosure – organizations are finally more responsive and thankful to researchers who find security bugs, but we still need an uninterrupted place to collect and assess our personal security. The bottom line is that the more connected security researchers are to each other and to the companies researchers find insecure, the better it is for security.

Could BugsCollector, or a similar site, be the answer to our full disclosure woes? What do you think?

Jump to Category