Vulnerable Sites Database
Besides other common sources of real security vulnerabilities made public, such as the full-disclosure mailing-list, zone-h.org (well known for the publication of web defacement and vulnerabilities), or the xssed.com (that publishes websites that are vulnerable to Cross-Site Scripting, XSS), a new website saw the light this month: the Vulnerable Sites Database (http://www.vs-db.info).
This disclosure repository publishes web server and web application vulnerabilities, such as Local File Inclusion (LFI), Remote File Inclusion (RFI), SQL Injection (SQL), Cross-Site Scripting (XSS), Cross-Site REquest Forgery (CSRF), Directory Traversal, etc. The site says they practice "Responsible disclosure no details are made public (details of vulnerabilities are privately reported to developer or web site owners).", with limited details about the vulnerability, but definitely becoming a new wall of shame. A new place to keep an eye on and try not to show up in the picture.
Although similar initiatives existed in the past and then disappear, and although it is too soon to confirm, for now, the site remains very active with multiple daily entries.
----
Raul Siles
Founder and Senior Security Analyst with Taddong
www.taddong.com
Comments
I'm not saying that's what they're doing, just that afaik there is no reason to trust the people behind the site without a little more responsible disclosure about themselves. If the info is there, it's more well hidden than it ought to be. (If I'm missing content because I run with No-Script, then shame on them for not accomodating their targeted community of users which is much more likely than the general public to not promiscuously allow JavaScript.)
It's tin foil hat Monday, after all.
Ken
Apr 26th 2010
1 decade ago
The main goal of the post was to make ISC readers aware of its existence, not having any details about how they deal with the sensitive info. Please, understand there is no trust factor at all on my post.
Raul Siles
Apr 26th 2010
1 decade ago
It's too easy for the messenger to get shot (metaphorically speaking) these days.
No Love.
Apr 27th 2010
1 decade ago
guly
May 5th 2010
1 decade ago