<div>[Moderator: I ask you to accept this mail, so that the comunity may come with a solution. Thanks in advance.]</div>
<div> </div>
<div>Hi,</div>
<div> </div>
<div>During the near past I have to confront some issues when reporting vulnerabilities to the vendors, I'm not going to disclose the vendor's names because is not the goal of this mail, but to become with a solution. I'm asking the researches comunity and whoever can help us to come with the best solution. In this mail I'll explain my reasons and what I think is the best solution (actually I've borow the idea from others) and ask the comunity if someone thinks that is a better one.
</div>
<div> </div>
<div>Reasons:</div>
<div>--------------</div>
<div> </div>
<div>1- I've contacted with some vendor and after getting the right security contact to send the vulnerabilities I've sent the pgped PoC files. Then the vendor didn't come any more to me. After a month I've contacted the vendor again, the vendor said: 'oh, I didn't receive the mail'. I've resent the mail and the vendor replayed: 'I've tryed the PoC files and none of them worked, probably our internal testing team found them'. After receiving that answer from the vendor I've downloaded the software again and the vulnerabilities were fixed. I did a binary diffing to analyze OLD vs. NEW version and extraordinary...the bug I've reported + two other bugs where fixed, what was a bit suspicious. I've ask about this to the vendor and the vendor replayed the following:
</div>
<div> </div>
<div>"""</div>
<div>
<div style="DIRECTION: ltr">It's hard to imagine that the respective fix would be directly related to<br>your files because we haven't had them. Don't get me wrong, we have no<br>problem crediting anyone who reports bugs to us, helping us to improve our
<br>software (just as we did e.g. in the case of version XXXXX where we<br>credited XXX YYYY - see<br><a onclick="return top.js.OpenExtLink(window,event,this)" href="http://www.linktothecredit/" target="_blank">http://www.
<font style="BACKGROUND-COLOR: #ffff88">linktothecredit</font></a> ) but I <br>don't think this applies here, really...<br><br>Sorry - maybe you can find some other overruns in the current build? (or,<br>even better, in the build that's coming out in about a week - because that
<br>one has some new fixes in it, too [so it's theoretically possible you'd hit <br>something that has already been fixed, too]).<br>"""</div>
<div style="DIRECTION: ltr"> </div></div>
<div>This was the case with one vendor, and pretty similar situation with others. (ofcourse there were excelent comunication with some other vendors, but is out of the scope of the solution that I want to come with.)<br clear="all">
</div>
<div>2- There are some vendors that are really dificult to deal with. It took me about 4 months to get the right contact to report the bugs, and this would be another think to think about, A public 'Vendor's Vulnerability Reporting Contact DB/List'.
</div>
<div> </div>
<div>As I do believe in responsible disclosure, I don't agree with 'giving up and launchin 0days' so that vendors eat their s**t, the following is what I think is the best solution for it.</div>
<div> </div>
<div>Solution:</div>
<div>-------------</div>
<div> </div>
<div>First of all: I've taken this idea from matasano and Halvar, that were the ones I've seen that did this in the past.</div>
<div>The main mailling list should create a 'Vulnerabilities Hashes mailing list' where the researches comunity can send the hashes of the PoC files just before they conctact the vendors. That way if the vendors do not give the proper credits to the researchers, at least the researches will have another proof to show that they were the ones that reported the vulnerabilities, and not just the mails they've crossed with the vendors.
</div>
<div> </div>
<div>Final Comments:</div>
<div>-------------------------</div>
<div> </div>
<div>I'm pretty sure that a lot of researches has this kind of problems in the past and this is really frustrating. </div>
<div> </div>
<div>*** I don't want this mail to end up being a: "Oh, yes, I have this problem with xxx", and so. Please don't do that because is NOT the goal of this mail. Just bring your ideas to improve this and to make this 'Vulnerability Hashes mailling list' to happen. ***
</div>
<div> </div>
<div>The following is are the MD5, SHA-1 and SHA-256 hashes of the vulnerabilities that I'll be reporting to the vendors after sending and seeing the post in the mailling list. This is a verdors based hashes, because probably in some cases the PoC files behind this hashes may affect other vendors, but as I didn't try with other vendors I don't deserve the credits for the vendors that I didn't spot vulnerabilities, if other researcher finds the same bugs in other vendors, they are the ones that deserve the credits for that.
</div>
<div> </div>
<div>
<p>AnhLab V3:<br>----------</p>
<p>65d9c1f2a9f3e7cf90e814ad27c7868b<br>bf6460b08b07b9fdfc90e243e8c72b326b4070f4<br>e766ac5bedb1144a8bb0426382aec5b58d9fcbf2ac560c321e474f57124c322b</p>
<p>Avira Antivir:<br>--------------</p>
<p>6be69d215a9abee4c5966243fbd074a2<br>34ad8cd7fd38a8c6af9d6e13bd2bbe72806ceee4<br>1094efa900cd1b0bcacbd38fa6ebee65bace529227512d25cdeede4dadbaef7b</p>
<p>770206b8b023069913315bc0ad15fa7f<br>a1c5a301e1898e5749eb8bdb477f7ff786142a6d<br>ecc1a63d3c7e1c21a6d92d8b5d7889038861bf09f43c5ab81d84ff6f3a9c166c</p>
<p>cd180ca57fccb2611eded02789830803<br>25d610387e7a7c2a372e8cc612b495c3145e9768<br>6d4ddde75ecaddd0780420485d4a973cb1d9ba0df2c1fef15ca8a1a29d67f640</p>
<p>c40a37cd215c7cca64310984b6b7a848<br>4c09a09683328f4a0a56f4ca523b5d25e4a9f618<br>dbb89a4f297a050df445cb8a0e81b5753f32a4fe0d8b40f648572152215977da</p>
<p>76105c8caf97785c9fa330481b13713d<br>0ee01fa4ab0f9a3504201ce02a4c53547a8efbb4<br>eae7a347cbd805bce87ca8303d4de98729034228a1a94b999c01bb132f4738f2</p>
<p>AntivirusKit:<br>-------------</p>
<p>f308330ddc4fe26c0458a148f9594759<br>36a5feb922e8163be67a85018294d9e179cbcec7<br>6da70b2be86525ae5fc654cc293a44437ee6ca912668eff7501ef529a5be4196</p>
<p>f9a42de55118798f2920a2b1072c8444<br>f62f63ac4aee1295cbf7a636e13e5cba7f6474a5<br>8d8be8e6bd765c8822696d2af58f53f386987129c7ceca43f051f026d4073a7a</p>
<p>56865f1768d2a646ce0e9e8d436ec67b<br>0dfcb3a5c004665821f58afe3ddc7aca52411919<br>fd66434954edd4e07265660a37be5737e08414b033901905e5e535a4431aee7b</p>
<p>6511e2fdc0f721a47c4e8a1d626108f2<br>9fc5010703bcccdab67f4c61b2144f06c1ed6679<br>0c42ceba2e181cc943a330ea7d9e9ed7b05cb2602b50c10693ab3515d0d3776c</p>
<p>e2927d23417de42c00f6570179fa0ab4<br>5a654b60b4e5d7b971393993bf74bff6b7babf4c<br>a0b47cb536e58f060fd193e44cad1c282964bf02d743eeb375496d96e9852492</p>
<p>e29cf7b7613bfdbb9a0c1b4114527251<br>712e1835f88a75b50b902b5aeb8c63199d634da8<br>0b8b843e0e123464275b75fd1d21a808233389204df10accca0d9b29884d8c27</p>
<p>99558b6186c3af5415dac0488b0f4a0d<br>fb6504beb4934e9c4656121d0efd224b3e12da04<br>b339d6e1ea6d76a297b691b989a650c47392d063a7ee8394ac3a104e831cd97b</p>
<p>136eeda72cff4ce605424dd4566b5c5b<br>d79e8ece11468fffadd9ce0f24d6904544882979<br>2fb06f226571cb9f097d2ebcdef89898d70033bdd092233fea048fb345d318ad</p>
<p>a8f265a5d767f40a942a93be4ace83f4<br>1aee982c67d3557dcb77989c36ff4c35115eb8c7<br>957da7450f57781ac32f3a7ff7dcb5c975f5039f7684482706f1cd2dc61bc732</p>
<p>Avast Antivirus:<br>----------------</p>
<p>24b53bacfa2f6aeba6226466d6a96758 <br>7bccb6233ae8356928f49ece594af2ec05654ec7 <br>e07652d14834e267a661892a240be7185035942224c9386e68cbdeb1e636369a </p>
<p>df88c0d9489a877eca251f6977f07d0b <br>dca5faa757d3a7d72bf37873db8dae7e0f002cd1 <br>65271e3d3a5e4f70f337b19b661f8ed5521777715c3c7223c5bde05f5ab826b9 </p>
<p>649666668e1f0a219c0bd9619aff5d91 <br>839c714d4b28bf903c6ccd0b1b7a6fdf5c46c01a <br>41c263ea1ce75411792f5853c8c02bf1ccf06708f09cd874490ef11623b85d55 </p>
<p>0f16d47de15ebbcd30ecad2b3ba9aea2 <br>51f859523e3d1d7eb8549ac27bc0ce292dfb940d <br>54806f6d3c6d193ea874057bc1d04e403c99c51fcf46dacbf3fdffc8a7033244 </p>
<p>f1f4ac1d188c020f8e9a651555279227 <br>dd2cd2fafe3d98b099a7504bd94089c1deec680a <br>cb5e46bb6abe10a8bc35dbb24991770f6433d7b5981998604164bb43ec2676bc </p>
<p>4696e1bb5e73620c6e715d9c727ac7f6 <br>a240b8bdd748a15ef6e451e4a327258367e7c07c <br>2181db5345a3d04c83cbf5ca8442fecfeb1f3825ec0a7516f07eaebd03ee234a </p>
<p>40a82d15fcb2cd982fde52b5d90e7d49 <br>b5248dd45ff405a0c75e7771c25ce1d8cdc2dfd2 <br>cdedcb945de7855b9ff791ce1d0dff0bacccd715eaf61942676b4153f9783cda </p>
<p>df519bca64476f0f7e0a973c31e0828a <br>b46ac3f62a1dd0b9f1dc99d822913cd588f6ee68 <br>003f657a4451b1e34de81862af10eac5cb25950406925e1f837ffc5f2ff2d4a3 </p>
<p>193a39e6e57c5fe1e673cd60fc9f838d <br>d2bdb2e33a3c0922918d0badbec70d830228586c <br>dcbeefec4bb40fc39523284073ef5d1f6773786e286949d588e182de490ed74f </p>
<p>835899502d90cf4a435aa4392b2b03f4 <br>ec81ee8d7239a89346e1e17ad4f018da180d5310 <br>b019d4dcfd6db786ee13ed80f6e90b0faeb23f90b8dcb1061a718f9446e39e22 </p>
<p>2ec5e7d881bd4792fe63992a052aa054 <br>3bc58e9f7f1d9efc2d2a599b430ca745b810fbcc <br>bd5d5e96fc091a21ac3c1e1e24276fb22cd42dc7b56569de23811ab7196df5e1 </p>
<p>df519bca64476f0f7e0a973c31e0828a <br>b46ac3f62a1dd0b9f1dc99d822913cd588f6ee68 <br>003f657a4451b1e34de81862af10eac5cb25950406925e1f837ffc5f2ff2d4a3 </p>
<p>193a39e6e57c5fe1e673cd60fc9f838d <br>d2bdb2e33a3c0922918d0badbec70d830228586c <br>dcbeefec4bb40fc39523284073ef5d1f6773786e286949d588e182de490ed74f </p>
<p>835899502d90cf4a435aa4392b2b03f4 <br>ec81ee8d7239a89346e1e17ad4f018da180d5310 <br>b019d4dcfd6db786ee13ed80f6e90b0faeb23f90b8dcb1061a718f9446e39e22 </p>
<p>2ec5e7d881bd4792fe63992a052aa054 <br>3bc58e9f7f1d9efc2d2a599b430ca745b810fbcc <br>bd5d5e96fc091a21ac3c1e1e24276fb22cd42dc7b56569de23811ab7196df5e1 </p>
<p>7f1dfbef6cbb128480a89c518ef5e7b6 <br>86dfabefece6ced61521cca7a8d573214bacc61d <br>abf0a439abadd50cf7871e14f7b0fecf6d24b0257679e186b4a8cfa5c95db26f </p>
<p>2c799b6dd1a95ac3f7ae9cb6550145ef <br>e509214a69108485821a370d48a22ae519feda42 <br>fc204ac5f18b04a36570273035300004d16ab38b990e7c699743f4bbe1c8cd73 </p>
<p>8505d6f3bb638c47a51c1e954945219d <br>0923321102a3a6ef606a54ea6375118e5003e7d2 <br>f5103f808ba9e227ebf8f16f361a1710f6f083757d56d40a2c6dcd64f4578499 </p>
<p>Grisoft AVG:<br>------------</p>
<p>7ed40b565903c3788157f1b7facd3e8c <br>d95141a18c0d49e3ef4da4ae4164460c04df571a <br>018f888c8f9a280c2a546d70646cfdfb002127f786777036190227f82438e99f </p>
<p>4cf5ea82eeb3526584bbc0e648859f28 <br>4872d5a93ce3caafd2398b948a17c535fe1c178d <br>fc528e338ff779041cd7d43d5175461cbec51476bc83bab993930c894b4ab27f </p>
<p>3f30645d19a29120e3ed6667023f9b26 <br>d8e468bb9b6d224e322a08e6b813d9a891a7a37c <br>e88ad4becf6ba0917e9187b7dcc907e2f0d1789e71dd8328f455662405afcacc </p>
<p>9723df4678b88056e18727fadfc523f5 <br>21823e87f72ae6268f67f27dda6e1fd97162baa0 <br>22c7987f4c9f0ae996e322547afd8f70dd0c1e579bebd9505d1d8106c6a8c47f </p>
<p>CA eTrust:<br>----------</p>
<p>b1ad7836c4c5f13acd39a7554cb4a74c <br>b21fdf4ac22cb040ceb060a5ce9369344a012ea5 <br>3c39bf686d8cfa8d5901c10b6faff8e15f53eb5a7b09226893c5ec0add63e819 </p>
<p>bb41ecd6340ddadf1b342569f545e0b3 <br>38405393b9145bf92c3ce2b9f887bbb200578c15 <br>cc933471d8a8c1ff2216209b5063b5ebc77e86846d0b5d4809763af1277fcf93 </p>
<p>830b9443c1d9a2c3a3c22a61e141ff67 <br>a5eb5a4bfab519db6db1270dda12a3eed36e99e6 <br>ef3a5733a48728564781c3d5d7bf364f7c6b8c2dc9f62fbf7abd07c361e1078b </p>
<p>e29cf7b7613bfdbb9a0c1b4114527251 <br>712e1835f88a75b50b902b5aeb8c63199d634da8 <br>0b8b843e0e123464275b75fd1d21a808233389204df10accca0d9b29884d8c27 </p>
<p>F-Secure Antivirus:<br>-------------------</p>
<p>8029afc917c99b76211376677bec7025 <br>0e8b7674771c1cbd8860f73b1ce53aa88720c7d3 <br>107b3efdeab6e622cc164c4cdde5366ca1d4aac7e263217e0b41c7dcbff3b025 </p>
<p>2c4c3f6b89c7c395842b41a697cad411 <br>b7d769358b594770d392bd57cbc9e56ece99b422 <br>548b4b246be5ed4cf962d556c20c96c35994269f06b5ddedd7aa7e7248e9e250 </p>
<p>657d39f36ac3f09f46ec30ed25a66a48 <br>3ca8a75f157cecb89ab8a9cf29b5589536428d50 <br>1fd43a88cf07ef8f5f1f35f656fbb08b2d16ad273363e88fa2efe4a056937f4a </p>
<p>d27a2fb4a40b785e25a450bb3acfd793 <br>6b1d6d0754711ff5bafd84b1ed5a9ceeb88f3a53 <br>e50e14059f17895efcfb7f60ff0be061cf49fa4a288c63ec494991555667da32 </p>
<p>McAfee VirusScan:<br>-----------------</p>
<p>a8f265a5d767f40a942a93be4ace83f4 <br>1aee982c67d3557dcb77989c36ff4c35115eb8c7 <br>957da7450f57781ac32f3a7ff7dcb5c975f5039f7684482706f1cd2dc61bc732 </p>
<p>ee44ef6cf5cb0a8debae2adf18a33579 <br>a4a386f2b911b7bb9fc3572935032bb56c9a5d85 <br>c8d017c4f095b2f45623117d80433339b16b48de9fc8a7362eb13116bdd29c5b </p>
<p>ee44ef6cf5cb0a8debae2adf18a33579 <br>a4a386f2b911b7bb9fc3572935032bb56c9a5d85 <br>c8d017c4f095b2f45623117d80433339b16b48de9fc8a7362eb13116bdd29c5b </p>
<p>3fb13db5928235fce3f6e65aa7ea4e86 <br>83f6ef1b222ad55fd87967e3089f554a33ae5a06 <br>be927665d2d44f0958b7c8070ea4cc77444cdfe3ada3d8398dd1cb8f6b9f6192 </p>
<p>a8f265a5d767f40a942a93be4ace83f4 <br>1aee982c67d3557dcb77989c36ff4c35115eb8c7 <br>957da7450f57781ac32f3a7ff7dcb5c975f5039f7684482706f1cd2dc61bc732 </p>
<p>ESET NOD32:<br>-----------</p>
<p>cfd37b81fd0dbc62653032a4166173ff <br>3c69c0e8979237bf4af66f4b93a7ada0d0d81211 <br>e8853ba6967db030d54805899525ba20fb03c4b4786e1c1b97f1666e316052e3 </p>
<p>440c492b01a8fb46a28d210345c180ed <br>d0db253944fdc24f81df3cd0c1fb63c1a700e240 <br>8a3a6be38a55a341b2bba13bb4af453ca408edc29f1ee1f3f091e921250d28f1 </p>
<p>02dc846a5388b9c3b6021208761e6f5a <br>600420f8f3c7d438533817d64e0bef92462a614e <br>5ad94d4d445d48f1ef5d87d492e0213c7af20bebb053621418375c09412d8e4a </p>
<p>b6f1955690dcfc804fae032216507430 <br>65cf6c31c4c103c296c937520964d6dd7442d86f <br>f2401d9d3a5c3be0b9eec88eacf493ad6d83942ce0f566129cba929e398efc59 </p>
<p>c52853d1d0ada84dd432aff2eacea04e <br>1f11427a3c5620dff36ef4056901bd3e1a209eeb <br>d51bbacd4b2b540266b793ee2735d729844c0476a648d3dd7fc683d6eef13db4 </p>
<p>0107600c8612ff2ad4f22865768d407c <br>845391b0311305dadbed0aa41c2028e65516bfc1 <br>40eb114d0b472d35850fcdde4bba6bdf36f067ba55a7c2df67d65dcaa4592dec </p>
<p>Norman Antivirus:<br>-----------------</p>
<p>fc7743cda0033f81d5c7d969542ea33b <br>0e4ffac982168a0aa73f529d830dc656a747a6dc <br>ca371fd64625efb50a0f3bb403bd922fc7081fc8966df7b0fd40b40586624188 </p>
<p>a9bd4536a1966c0dde8ba718c658e854 <br>f4adb4bfac96954a93c8e9d001630540af4a3fea <br>32caf66cd837949bfff32d4c2365cb3519d908e56dd3684e8ddc107ba25cc873 </p>
<p>d5d020485df8ead5192042da9f32bb0d <br>95ead5b4fe26e5dff98a7fa95168f41713878f4c <br>e6a19e24893ad87a7c0c299f35fc2010af5a7a4a926e0fa5113946cb80dc1ea5 </p>
<p>b9a8a5063abf31f53f6f7d2e35a8f7ee <br>3640d55abbd155ea22a2a68f9d15f27e5307a048 <br>7cc06d3d8ceb341d6735c57c42288b067605a1fdeb8753729e4dddd0b435ad64 </p>
<p>5397061f4268bdcc106ada8724d2cc21 <br>3ddd04f4d4c2a1b2e91630ea909b74e9f8607554 <br>9a9eec3f5fa24f1ccf7cf47effc0a5d1f5dad12e22b61c8e4a6552dc4345a4c1 </p>
<p>13fc7553b8e2979942a95f6ff6f16f20 <br>d74a4f36bead45008d826b3e2b5d9959a2394226 <br>769ca66067e3fedff804f454a0b5a9d54dbf85f140de43b8c115f3f0bcdaf74a </p>
<p>40aefe65ef2371df256a5a17be5c08a2 <br>dfc4110d62cb9a36f27b2269f3adfa1cee0ee190 <br>17ff4d9f7dd44101544023dcd6554c2280f0cf2c779cb7a1f26717467eea25c7 </p>
<p>7d9f52171e286d022e8c2605cab69db7 <br>a2f3ef73dd41348131a4fc83bb269552c50e8a24 <br>91c53eed8ab2e06e46d7e2d2f5fecfa65d29ec4cf9832b3b1690b724a25b10bf </p>
<p>Symantec Norton Antivirus:<br>--------------------------</p>
<p>05ee29971ad88e895fe3fbb2a931cb64 <br>344724a09b87ebb0901b4a110855840440b5dd35 <br>40494ee480bd1eb946a82d87cdbbad2a55471942b513c7986f1ef07a6a860de8 </p>
<p>5aa3942cfb2854ace70434ffbbaf83ad <br>3b07b9cdbce21fa7c018ffe49ec3e4fb26898e7a <br>d9b0d079ee5d79d4791aed1465cf2b5cb69e953bfee6b39a51727bab6bfe0562 </p>
<p>Panda Antivirus:<br>----------------</p>
<p>c1ef9b02aa230410db5384b60c43737f <br>6cdbec98c6b2dae754c835cddfd7510a27d6971d <br>c7d9e6b1b1a6a99d15bdbc199584a82629b8c2696e052835832c9cdba6575827 </p>
<p>a086d36416b40da2556f708ec7839091 <br>4dd0d6efea6335af8b49e76a8629cd575f56917a <br>9051df4e9eca261e051097a877aa68c3de568e85e24eb70c4424693018f9cbdb </p>
<p>fb2b41a7c8a25c835052ec788250c285 <br>2583a038e47e85a9669f8bb944ccffcf11c21518 <br>eeb614054a4cc99bb4aa3ac4b5f09f74c630a56ca7931a10b54a8f678eb59e67 </p>
<p>Sophos Antivirus:<br>-----------------</p>
<p>ac07ed7520c4ff1ae93be01c2dc0a91b <br>69f941d81f8ed9d2a21ff7421d8f658b8bdef67a <br>60471004837929f83c0cd5fa58c51505d0182891b656216b67d2ffa3792371ac </p>
<p>e51333b8106e0cdc7c28e1d360470933 <br>d3ea44047fde6792e0d451404133dfe37c2701ae <br>8363eb9f3db54839e10edbb5b0f0214425f42a5a67fa7a7f572d161dc6fe4ecb </p>
<p>1e33c49f7c86d23217f46927d17fcf84 <br>75491f057ef1f7b69ef5431bf1a61ad0ff5765e8 <br>68d66831aab022bac9e96e23ba8e1a55b49c392ed54fab9efe0f95d64ddb747c </p></div>
<div>Cheers,</div>
<div> Sergio</div>
<div><br>-- <br>Sergio Alvarez<br>Security, Research & Development<br>IT Security Consultant<br>email: <a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:shadown@gmail.com" target="_blank">shadown@gmail.com
</a><br><br>This message is confidential. It may also contain information that is privileged or otherwise legally exempt from disclosure. If you have received it by mistake please let us know by e-mail immediately and delete it from your system; should also not copy the message nor disclose its contents to anyone. Many thanks.
<br> </div>