"Open-Source Vulnerability Disclosure: Exploitable Weak Spots"
According to Aqua Security researchers, attackers could exploit flaws in the vulnerability disclosure process of open-source projects to gather the information they need to launch attacks before patches are made available. The maintainer is aware of "half-day" vulnerabilities, and information about them is publicly available on GitHub or the National Vulnerability Database, but there is still no official fix. "0.75-day" vulnerabilities have an official fix, but no CVE number or CPE identifier, which means vulnerability scanning tools cannot detect the vulnerable component in the organization's environment, and security teams are unaware they must implement it. This article continues to discuss the risk that arises from half-day and 0.75-day vulnerabilities, as well as the call to action for open-source project maintainers.
Help Net Security reports "Open-Source Vulnerability Disclosure: Exploitable Weak Spots"
Submitted by grigby1