Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC: Vulnerable Sites Database - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Vulnerable Sites Database

Besides other common sources of real security vulnerabilities made public, such as the full-disclosure mailing-list, zone-h.org (well known for the publication of web defacement and vulnerabilities), or the xssed.com (that publishes websites that are vulnerable to Cross-Site Scripting, XSS), a new website saw the light this month: the Vulnerable Sites Database (http://www.vs-db.info).

This disclosure repository publishes web server and web application vulnerabilities, such as Local File Inclusion (LFI), Remote File Inclusion (RFI), SQL Injection (SQL), Cross-Site Scripting (XSS), Cross-Site REquest Forgery (CSRF), Directory Traversal, etc. The site says they practice "Responsible disclosure no details are made public (details of vulnerabilities are privately reported to developer or web site owners).", with limited details about the vulnerability, but definitely becoming a new wall of shame. A new place to keep an eye on and try not to show up in the picture.

Although similar initiatives existed in the past and then disappear, and although it is too soon to confirm, for now, the site remains very active with multiple daily entries.

----
Raul Siles
Founder and Senior Security Analyst with Taddong
www.taddong.com

Raul Siles

152 Posts
The "About" page is blank, and the domain registration is private. Who are these people, and what are they doing with the vulnerability details besides keeping them "private"? Putting up a "responsible disclosure" site without revealing a thing about yourself sounds like a good way to collect vulnerabilities for non-responsible purposes.

I'm not saying that's what they're doing, just that afaik there is no reason to trust the people behind the site without a little more responsible disclosure about themselves. If the info is there, it's more well hidden than it ought to be. (If I'm missing content because I run with No-Script, then shame on them for not accomodating their targeted community of users which is much more likely than the general public to not promiscuously allow JavaScript.)

It's tin foil hat Monday, after all.
Hal

50 Posts
Ken, due to multiple reasons (such as legal responsibility for publishing that kind of info in some countries), this tend to be the case for lots of sites disclosing vulnerability info.

The main goal of the post was to make ISC readers aware of its existence, not having any details about how they deal with the sensitive info. Please, understand there is no trust factor at all on my post.
Raul Siles

152 Posts
Ken:

It's too easy for the messenger to get shot (metaphorically speaking) these days.
No Love.

37 Posts
database comes in pdf <g>
guly

3 Posts

Sign Up for Free or Log In to start participating in the conversation!