Questions tagged [vulnerability-management]

67 questions
38
votes
4 answers

How do open-source projects prevent disclosing a bug while fixing it?

I understand that many open-source projects request vulnerabilities not to be disclosed on their public bug tracker but rather by privately contacting the project's security team, to prevent disclosing the bug before a fix is available. That makes…
Heinzi
  • 2,914
  • 2
  • 21
  • 25
25
votes
4 answers

Should a vulnerability in a service that is present on the device, but not running and not used at all, be mentioned in the vulnerability report?

Say, I have scanned our Cisco Router, and it returned 20 vulnerabilities back. However, most of them are tied to specific services that this router is not running, for example CVE-2016-6380 - we are not running dns server on our cisco thus we are…
14
votes
7 answers

What risk rating models are used for calculating risk scores of web vulnerabilities?

What risk rating methods, models, assessments or methodologies are used for calculating or estimating a risk score of vulnerabilities (for example, like described in the OWASP top 10) and which of those are best to use for web vulnerabilities? I'm…
10
votes
3 answers

Are there any Common Weakness Entries (CWEs) applicable for hardware security weaknesses?

I can't seem to find a suitable CWE for classifying hardware-specific security weaknesses. Particularly, I'm looking for a CWE that applies to power glitching or clock glitching against a microcontroller or microprocessor. Are there any CWEs…
Polynomial
  • 132,208
  • 43
  • 298
  • 379
7
votes
2 answers

Are inactive vulnerable Wordpress plugins still unsafe?

When you install a plugin in WordPress you can choose to activate or deactivate it. Let's say you have a plugin of which the latest version is vulnerable to XSS for example and you're waiting for a security fix to be released. Should I disable or…
6
votes
3 answers

CVEs aggregated by programming language?

Is there a way to search the CVE database by programming language? For instance, I'd consider CVE-2015-4852 to be a Java-specific vulnerability as the scope of the vulnerability is the commons-collections Java programming language library, while…
5
votes
2 answers

Why are the CVSS scores differ so much between Redhat and NVD page?

take CVE-2016-7872 for example. in National Vulnerability Database webpage, we can see that the cvss2 and cvss3 score are 9.8 and 10.0 respectively. but in the redhat security advisory page, they are 6.8 and 8.8. To my understanding, cvss score are…
5
votes
2 answers

WD My Cloud Vulnerabilities - What is at risk?

Recently there were around 70 vulnerabilities found within Western Digital's "My Cloud" devices. I am curious to know more about the scope of these vulnerabilities. All of the vulnerabilities have been listed by Eploitee.rs here. There they talk…
4
votes
3 answers

I want to hire someone on Upwork to install a bitcoin trading bot on a cloud server. What vulnerabilities should I watch out for?

Context I tried installing Tribeca (a bitcoin trading bot) myself yesterday, but messed it up somehow, as I'm not very familiar with Docker/Git/NPM/mongoDB technologies (a little knowledge is dangerous &c, &c). I'd like to pay someone on Upwork to…
4
votes
2 answers

What to do if you think you discovered a zero day vulnerability? (white hat style)

Does anybody discovered a zero day vulnerability? I know some black hat hackers sell that kind of info on deep web. But if you are a white hat... Which steps to perform? How to assure a CVE is released with your name? Who is in charge of this…
OscarAkaElvis
  • 5,185
  • 3
  • 17
  • 48
4
votes
2 answers

How to determine the minimum Linux Kernel version required for a given vulnerability

I have to track vulnerabilities for a legacyish (3.12) Linux Kernel. For this purpose I'm searching on various sites like NVD for new vulnerabilities. Recently I encountered a problem where the affected version of the vulnerability was described as…
Noir
  • 2,523
  • 13
  • 23
3
votes
1 answer

How to fairly pay out bug bounties without going over budget?

I work for a small company and for our webapp, we want to offer bug bounties for vulnerabilities reported with monetary rewards based on criticality. Problem is we only have a limited overall budget and dont want to promise anything we cannot pay.…
Chimarr
  • 53
  • 3
3
votes
0 answers

Version earlier than 0 in Debian OVAL feeds

I'm trying to parse Debian OVAL feeds to establish if some packages are vulnerable or not. I'm using criterions to establish what's the vulnerable version for a package, however often there are entries saying that "version is earlier than 0", e.g. …
3
votes
2 answers

How do I get the "vulnerabilities history" of a Node.js package?

When installing a Node.js package via npm or when running npm-audit I get information about known vulnerabilities of packages in the project. From my understanding this means that there must be some database somewhere that contains this…
pinas
  • 161
  • 8
3
votes
2 answers

What qualifies a vulnerability that shall be published?

Consider an open source project that is under continuous development. During development, in your day-to-day work you do occasionally find some issues on your own. There are also users of your library reporting issues. If a security advisory shall…
eckes
  • 438
  • 1
  • 4
  • 13
1
2 3 4 5