4

Does anybody discovered a zero day vulnerability?

I know some black hat hackers sell that kind of info on deep web. But if you are a white hat...

  • Which steps to perform?
  • How to assure a CVE is released with your name? Who is in charge of this management?

Thank you.

OscarAkaElvis
  • 5,185
  • 3
  • 17
  • 48
  • 1
    You can already find plenty of questions about disclosure policies. CVE assignment is a separate topic but there are also plenty of posts on that. Can you narrow your question down to a particular aspect that you want help on? – Arminius May 24 '17 at 20:29

2 Answers2

5

There is An ISO dedicated to this subject https://www.iso.org/standard/45170.html

It is generally accepted to work with the vendor affected and give them time to resolve the issue within a reasonable time frame. Google project zero takes the stance of 90 days to fix from initial disclosure to the vendor and full disclosure from that point.

Greg
  • 81
  • 2
0

Myself, i informed the vendor about the vulnerability but they didn't agree for that so i disclosed it on exploit-db and tor :) and after a month ,they fixed it

If you want it in white hat hacker style then,

1.Inform the owner/vendor(mail them), explain them the vulnerability and they will come up with patch for the vulnerability.

2.You can publish it on CVE : https://cve.mitre.org/cve/cna.html follow the method given in the website

black hat hacker style

1.Sell it on Tor browser

2.disclose it on exploit-db : https://www.exploit-db.com/

3.sell it on exploit hub : https://blog.exploithub.com/

4.sell it on ZDI : http://www.zerodayinitiative.com/

Ekalavya
  • 164
  • 1
  • 1
  • 9