navigation bar left navigation bar right

Secunia CSI7
navigation left tab About us navigation right tab
navigation left tab Careers navigation right tab
navigation left tab Memberships navigation right tab
navigation left tab Newsroom navigation right tab
navigation left tab Contact us navigation right tab

Why do you spend time verifying vulnerability reports?

Get this blog as an RSS Feed
10:26 CET on the 8th September 2010
Entry written by Stefan Cornelius.

A lot of people may not picture the Secunia Research team as socialising people, but once in a while we actually do go out and meet with like-minded individuals to have some nice food, beers, and exchange our latest and greatest security rants. Recently, at one of those occasions we were asked the question: "Why do you spend time verifying vulnerability reports?"

While the answer seems obvious to us at Secunia, it is a very good and valid question. It may not be as apparent to other people, even security researchers, why there is a need to perform additional verification. Why is our perception of this so different?

Perhaps it never crossed your mind to check if the cross-site scripting report suspiciously related to an SQL error message is not an SQL injection in disguise? Did you ever launch IDA Pro and your debugger weapon of choice just to find out why a vulnerability is reported as "memory corruption" when the screenshot of the reporter's debugging session looks an awful lot like a NULL pointer dereference error? Have you dived deep into disassembled code to determine if disabling JavaScript really is really sufficient to stop the latest browser 0-day?

Secunia's advisory team invests countless of hours on a daily basis verifying vulnerability reports that turn out to be either non-issues or somewhat incorrect. You don't see us issuing advisories for all the non-issues, but there are actually days where the amount of reports "killed" by the advisory team outnumbers our published advisories. If you experience this day after day over several years, this will change your perspective.

Are there really that many fake reports? We don't really encounter many of those; we are more concerned about the partially incorrect reports or reports missing important information. A report may appear obviously wrong e.g. if a quick web search for the product name results in zero hits, however, what if the reporter doesn't speak English and auto-translated an Arabian product name? Suddenly, zero hits are not so surprising anymore. There are also cases where a report looks correct and legit, but there's a typo in the parameter or file name. How would you know without installing and testing the application for yourself? How can you properly evaluate the criticality or potential workarounds if you never spend time tracking down the core problem of a reported "buffer overflow"? How can you even be sure that it's not a completely different problem altogether? Is a kernel crash really just a crash or is there a potential for privilege escalation and how do you know without e.g. analysing the source code?

Spending countless hours, whether it's installing a dozen unknown web applications or reversing and analysing the latest exploits, is not only about catching incorrect reports; it also routinely leads to new information. Sometimes, it's simple things like confirming that the latest version is vulnerable when the original reports lacks version information. Often, it's more interesting cases like discovering that the "unspecified memory corruption" is actually an integer overflow to serious things like discovering that a reported DoS vulnerability in fact allows code execution, a vendor's patch is inadequate, additional attack vectors or even new vulnerabilities.

The short answer to the question would, of course, be: "To ensure that our customers and community receives the most accurate, trustworthy, and reliable Vulnerability Intelligence."

Stay Secure,

Stefan Cornelius,
Security Specialist

Discuss this blog entry
A new thread in our forum is created. Activate the thread by commenting/discussing below.
Subject: Why do you spend time verifying vulnerability reports?
User Message


RE: Why do you spend time verifying vulnerability reports?
This reply has been deleted

Rafael Martins

RE: Why do you spend time verifying vulnerability reports?
This reply has been deleted


RE: Why do you spend time verifying vulnerability reports?
This reply has been deleted
taffy078 RE: Why do you spend time verifying vulnerability reports?
Contributor 5th Nov, 2010 06:13
Score: 408
Posts: 1,352
User Since: 26th Feb 2009
System Score: 100%
Location: UK
I don't spend any time on this.

Having read Stefan's blog, it might well have been written in Swahili!

No doubt the technical members here understood it but I didn't. Nor do I have to, of course.

That's why I'm so glad that Secunia colleagues spend their time verifying vulnerability reports. ;0)

The answer to Stefan's question is, of course,

"To ensure that Secunia customers and community receives the most accurate, trustworthy, and reliable Vulnerability Intelligence".

They keep us safe - thank you, Secunia, for such a great, free service.

taffy078, West Yorkshire, UK

Desktop: Compaq Presario (OEM) 32 bit / AMD Athlon / 2 GB RAM
XP Home - SP3/ IE8/ Norton IS - Secunia PSI v2.0.0.3003

Laptop: Win 7 / IE11 / PSI v2.0.0.3003
Was this reply relevant?


You must be logged in to post a comment.

 Products Solutions Customers Partner Resources Company
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
Technology Partners
 About us

Secunia is a member of FIRST Secunia is a member of EDUcause Secunia is a member of The Open Group Secunia is a member of FS-ISAC
Secunia © 2002-2015 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability - Disclaimer
follow Secunia on Facebook follow Secunia on Twitter follow Secunia on LinkedIn follow Secunia on YouTube follow Secunia Xing follow Secunias RSS feed follow Secunia on Google+