Vulnerable Sites Database

Published: 2010-04-26
Last Updated: 2010-04-26 16:50:26 UTC
by Raul Siles (Version: 1)
4 comment(s)

Besides other common sources of real security vulnerabilities made public, such as the full-disclosure mailing-list, zone-h.org (well known for the publication of web defacement and vulnerabilities), or the xssed.com (that publishes websites that are vulnerable to Cross-Site Scripting, XSS), a new website saw the light this month: the Vulnerable Sites Database (http://www.vs-db.info).

This disclosure repository publishes web server and web application vulnerabilities, such as Local File Inclusion (LFI), Remote File Inclusion (RFI), SQL Injection (SQL), Cross-Site Scripting (XSS), Cross-Site REquest Forgery (CSRF), Directory Traversal, etc. The site says they practice "Responsible disclosure no details are made public (details of vulnerabilities are privately reported to developer or web site owners).", with limited details about the vulnerability, but definitely becoming a new wall of shame. A new place to keep an eye on and try not to show up in the picture.

Although similar initiatives existed in the past and then disappear, and although it is too soon to confirm, for now, the site remains very active with multiple daily entries.

----
Raul Siles
Founder and Senior Security Analyst with Taddong
www.taddong.com

4 comment(s)

Comments

The "About" page is blank, and the domain registration is private. Who are these people, and what are they doing with the vulnerability details besides keeping them "private"? Putting up a "responsible disclosure" site without revealing a thing about yourself sounds like a good way to collect vulnerabilities for non-responsible purposes.

I'm not saying that's what they're doing, just that afaik there is no reason to trust the people behind the site without a little more responsible disclosure about themselves. If the info is there, it's more well hidden than it ought to be. (If I'm missing content because I run with No-Script, then shame on them for not accomodating their targeted community of users which is much more likely than the general public to not promiscuously allow JavaScript.)

It's tin foil hat Monday, after all.
Ken, due to multiple reasons (such as legal responsibility for publishing that kind of info in some countries), this tend to be the case for lots of sites disclosing vulnerability info.

The main goal of the post was to make ISC readers aware of its existence, not having any details about how they deal with the sensitive info. Please, understand there is no trust factor at all on my post.
Ken:

It's too easy for the messenger to get shot (metaphorically speaking) these days.
database comes in pdf <g>

Diary Archives