thomas.mackenzie at upsploit.com
Tue Aug 24 20:01:59 CDT 2010
You were right to email info@ as that goes to all the people within the project.
I am the project manager for upsploit and we are currently working towards a release for the 6th Sept where I will be appearing on PaulDotCom to talk about the project. There will also be a small article in the next hackin9 magazine.
Basically upSploit works with the vendors primarily, most advisories are first confirmed and sent off to the vendor once they are confirmed to be true. This works slightly different in the sense that we send the advisories off to the vendor first, making it a lot less time on our end.
We allow the vendor to reply within 180 days, and in this time around 10 reminder emails are sent out.
Once the vulnerability has been patched then we distribute the advisory to a number of different databases across the internet in the hope that the advisories can help other researchers with their research.
The whole process is automated, the only manual part is if the vendor replies back to us and we need to give a response.
If the vendor does not get back to us, we release the advisory ONLY on our site, and have a voting system thats pluses or minuses 1, so i reality its never proper confirmed but you will be able to see what people think about it.
On 25 Aug 2010, at 01:50, Jake Kouns wrote:
> Definitely curious to see what happens for sure ... As many already
> know a vuln disclosure portal to help with the process and make
> advisories more mad libs style was a goal of OSVDB and we started work
> on it during the 2006 Google Summer of Code....
> We called it the OSVDB Ethical Disclosure Framework at the time which
> we ultimately abandoned the term ethical for coordinated disclosure.
> This had been one of the projects that we wanted for years and we
> thought it was validated as we were seeing more and more issues with
> the disclosure process!
> We believed all along that OSVDB could be the service that helped to
> improve, streamline and more importantly remove the mystery of the
> breakdowns in the process. OSVDB has been handling one-off disclosures
> for researchers over the past 8 years and it is not an easy task. The
> amount of time it takes to handle a disclosure process is huge. We
> realized early on that a lot of the process needed to be automated in
> order to be successful and repeatable.
> Copied the project info@ on this email so perhaps we can get an update
> from the project team and determine if it makes sense to potentially
> work together and/or integrate with OSVDB.
> On Tue, Aug 24, 2010 at 5:19 PM, security curmudgeon
> <jericho at attrition.org> wrote:
>> On Tue, 24 Aug 2010, Art Manion wrote:
>> : http://www.upsploit.com/
>> : Is this on anyone's radar?
>> We saw it a few weeks back, read the web page and found it interesting.
>> Haven't heard anything about it other than what is there now.
More information about the VIM