It's time to take a closer look at CVE-2024-38063 (Windows TCPIP RCE). I usually don't post partial analysis but since most available info is unreliable I'll do my best to try and shed some light. This time I'll focus on my workflow and thought process as we go. 🧵
Interesting research by David Bozzini, an antropologist at the University of Fribourg, Switzerland, about the history of vulnerability disclosure, from first (ethical) hacker to modern bug bounty programs:
"My research focuses on the defense mechanism of vulnerability disclosure, which has become immensely valuable to the digital tech industry and beyond. This paper addresses the history of vulnerability disclosure and the emergence of the defensive market that has developed alongside the offensive market In fact, the defensive market for vulnerability information is a recent model of vulnerability disclosure organized in the form of bug bounties programs. Bug bounties are initiatives managed by companies or organizations looking for information on their own vulnerabilities through which they pay individuals—ethical hackers—to uncover bugs in their systems and, in turn, improve the security of their products and services. In this paper, I analyze the historical processes that have transformed models of vulnerability disclosure over the years and have given rise to a defensive market that has monetized disclosure, turned ethical hacking into labor, and made information on vulnerabilities a commodity."
https://hal.science/hal-04068476
#vulnerabilitydisclosure #bugbounty #history #research #markets
My research focuses on the defense mechanism of vulnerability disclosure, which has become immensely valuable to the digital tech industry and beyond. This paper addresses the history of vulnerability disclosure and the emergence of the defensive market that has developed alongside the offensive market In fact, the defensive market for vulnerability information is a recent model of vulnerability disclosure organized in the form of bug bounties programs. Bug bounties are initiatives managed by companies or organizations looking for information on their own vulnerabilities through which they pay individuals—ethical hackers—to uncover bugs in their systems and, in turn, improve the security of their products and services. In this paper, I analyze the historical processes that have transformed models of vulnerability disclosure over the years and have given rise to a defensive market that has monetized disclosure, turned ethical hacking into labor, and made information on vulnerabilities a commodity.
Mike Masnick ✅
