Some of the members of our Risk Based Security Vulnerability Research Team have been discovering and coordinating vulnerabilities for almost 20 years. Coordinating vulnerabilities can be painful at times, even if things overall have improved, especially when coordinating vulnerabilities with companies from the USA and most parts of the EU. These difficulties can be compounded when the discovered vulnerabilities are in products from vendors from other parts of the world, even when reporting them through a government agency specifically set up to handle them.
Two weeks ago, we disclosed 40 critical vulnerabilities in ActiveX controls from South Korea. Most of these could easily have been exploited in 0-day attacks similar to many of those historically attributed to North Korea in past years. Since the vulnerabilities were in ActiveX controls from many different vendors, we coordinated our findings through KrCERT/CC, part of the Korea Internet & Security Agency (KISA).
We wanted to share some of the difficulties we recently ran into, and some key learnings for companies and government entities dealing with vulnerability researchers.
Support the originator by clicking the read the rest link below.