5.3 Vulnerability Remediation

Note

Thursday, August 14, 2008

In Chapter 2, Chapter 3, and Chapter 4, I disclosed the security bugs directly to the vendor of the compromised software and helped it to create a patch. I chose another disclosure process for this bug. This time I didn’t notify the vendor directly but rather sold the bug to a vulnerability broker (Verisign’s iDefense Lab Vulnerability Contributor Program [VCP]) and let it coordinate with Cisco (see Section 2.3).

I contacted iDefense on April 8, 2008. It accepted my submission and informed Cisco of the issue. While Cisco was working on a new version of the ActiveX control, another security researcher named Elazar Broad rediscovered the bug in June 2008. He also informed Cisco but then disclosed ...

Get A Bug Hunter's Diary now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.