FAQ - Information about the Vulnerability-Lab

01. Why was the Vulnerability-Lab built?
02. Who is behind this project?
03. How is an advisory published?
04. How can I participate in the project?
05. Who cannot participate in the project?
06. What does an author gain by releasing a weakness?
07. Who are the clients of the subscription feeds?
08. Who are not clients of the subscription feeds?
09. When is a vulnerability released and when will it not be released?
10. How does the Vulnerability-Lab create a secure communication layer between authors and companies?
11. Do you also promote other groups / teams / researchers?
12. How can I contact the administrators of the Vulnerability-Lab?
13. How can I contact the support team of the Vulnerability-Lab?
14. I am a paying vendor of a product. Where can I request more details of the vulnerabilities found in certain products?
15. How can I find vulnerabilities from a certain author?
16. How can I find the vulnerabilities from a certain month?
17. Where can I search for certain vulnerabilities?
18. I have a good idea to improve the Vulnerability-Lab. What email address can I send my ideas to?
19. I would like to become a customer of the Vulnerability-Lab. How can I contact the lab to discuss the options?
20. I would like to have my products tested by the core team of the Vulnerability-lab. Who can I contact?
21. What kind of vulnerabilities does the Vulnerability-Lab accept and detect?
22. Which products is Vulnerability-Lab mainly interested in?
23. What happens if two vulnerability researchers submit the same vulnerability to be verified?
24. How does Vulnerability-Lab protect the researcher?
25. Why are upcoming advisories only viewable with restrictions?
26. How do I follow your mobile/public RSS Feed?
27. What details, resources, and data are provided on an advisory?
28. How does the Role System work?
29. How can I see the complete details of the upcoming advisories?
30. Why can I not register a Laboratory User account on the Startpage(Index)?
31. Does the V-Lab Team inform the vendor about every vulnerability?
32. BENEFITS!?
33. Requirements/information for partners?

____________________________________________________________________________________________________________________

1. Why was the Vulnerability-Lab built?
Originally, the Vulnerability-Lab was started as a side project of Evolution Security. The project idea was from Pim Campers & Benjamin Kunz Mejri (Vulnerability Researchers), and with the help of chokri and alexander the project was realised. Benjamin K.M. and Pim C. lead the Vulnerability Research Group which was founded in 2009. For the project both parties draw on years of experience in IT security. In the last 12 months the two researchers have published over 300 individually discovered vulnerabilities in popular vendor products. Because the discovered vulnerabilities are often discovered and reused by monitoring systems, IPS, and publishers, we have decided to develop a laboratory for the safe processing of our own zero-day security vulnerabilities. Thus we offer researchers and analysts a reliable and secure way to communicate with manufacturers to disclose own vulnerabilities, documents, and videos. If you are a vendor, Vulnerability-Labs can be an extremely valuable resource for information in detail about the current state of security for your software. Vulnerability-Lab is a research team that can identify and detect their own vulnerabilities, security holes, and bad security practices in software and applications, bringing this information to one site where vendors may be notified in a professional and timely manner. Vulnerability-Lab is committed to discovering vulnerabilities and collaborate with researchers for better software and application security.

2. Who is behind this project?
Responsible for the project is Benjamin K. M. from Evolution Security, based in Germany.
Responsible for the research team is Pim Campers (The Netherlands).

3. How are advisories published?
A vulnerability is documented by a researcher himself and then transmitted to the vulnerability management web application. Next, the transferred vulnerability is set to the status "unpublished". After that, the advisory is in the verification process which has 5 stages. A registered non-public advisory can only be viewed by administrators. At first, a review of the submission is made. If the vulnerability was properly described and criteria requirements are met, the vulnerability will be sent securely to the manufacturer/vendor. As soon as the vulnerability status changes to "pending", public information of the advisory will be published. Then a second verification takes place which will give the vulnerability the status "Verified by Vulnerability-Lab" which also means that it will be decided at this stage whether the pending advisory will be included in the public listing of the vulnerability-Lab. Once we get confirmation that the vulnerability is accepted and fixed by the product manufacturer, the status will change to "accepted by vendor". In this phase, the permission of the manufacturer for publication is also requested and obtained. After the final tweaks and updates to the advisory, the status will be changed to "published". At that point the advisory is public to the active researchers, analysts, penetration testers, IPS, consultants, clients etc. in the Customer area with full details shown. After 2-3 days the advisory can be viewed by anonymous users of Vulnerability-Lab. The advisory will be released in the appropriate category and classified with the specific IDs & reference links provided.

4. How can I participate in the project?
Basically security analysts, security consultants, vulnerability researchers, developers and institutions may participate in this project, provided that they want to publish one or multiple vulnerabilities per month/year. Precondition for participation is that the researcher accepts and withholds the rules (policy) set at the Lab.

5. Who cannot participate in the project?
Since our project handles sensitive information which has not been published yet, not all nationalities can participate. The reason for this are current military conflicts between countries and information wars which we do not want to influence or want as customers or friends. Since we do not want to hand over our material to martial, religious, racist or fundamentally motivated groups, we try to exclude these groups from participation. We do not want someone in the Lab either, who copies vulnerabilities from other researchers or trades stolen / illegal / fake data. Excluded from participation are also people who want to publish material which has already been published several times and is already public. Owing to the core values of the Vulnerability-Lab we do no transactions, nor do we collaborate with the following countries: North Korea, Afghanistan, Iran and Lebanon. If serious researchers from these countries seek a way to publish an advisory, exceptions can be made after a review of the advisory. We do not support government institutions (government / offices / agencies), related to or neighboring companies / institutions from the above countries.

6. What does an author gain by releasing a weakness?
The author has a good reference and can easily present himself to other industrial researchers or clients / employers. The author may also appear in the press / news and be involved in various IPS or monitoring / notification systems. To our researchers, developers and security analysts a payment is a bonus. We have established the following program in advance to award frequent publishers.

7. Subscription feed - early access to advisories?
The subscription feed is a premium early access permission to non-disclosed vulnerabilities, screenshots, movies, proof-of-concept exploits, dumps and other analysis material. The subscription feeds are commercial. The advisory subscription feeds offer access to new advisories some days prior to the end user notification. This is to improve their ISP and other notification / monitoring systems. We do not sell weaknesses to any individual, to unserious manufacturers, but seek long-term collaboration with well-known notification services. The zero-day feeds include also resources, as for example crash, error & memory dumps but also logs, debug details, exception logs, bug reporting, pictures, videos, etc. With the advisory the customer can use the details of the resources, reuse it in his own analysis, notification services, or IPS monitoring systems.

8. Who are not clients of the subscription feeds?
Private people / companies without founded reasons can not subscribe to the feeds. Basically, the person / company needs to state their reasons for subscribing and show that they are not involved in any illegal activities. Excluded from our services are North Korea, Afghanistan, Iran and Lebanon, as we can not verify their reasons and activities. If manufacturers are still interested, seriously wish to subscribe and can prove their reasons and activities, please do contact us.

9. When is a vulnerability released and when will it not be released?
Generally, we are following our vulnerability advisory process where all the timing issues, delays of the vendor, responding time is defined. If the manufacturer has given permission to disclose an advisory (after a patch is available) and the vulnerability is conform to the rules, their vulnerability is likely to be released. The Vulnerability-Lab can at any time stop or hold the publication process if an infringement of the rules is found. Vulnerability-Lab is not obliged to inform the authors, nor to reveal which violation was committed. Vulnerabilities will in this case be deleted directly from all systems and will not be given out, sold, displayed or transmitted to anyone. It can happen that a very destructive vulnerability was sent to the lab and because of the destructiveness we can not publish it or take responsibility as an interface between the manufacturer and the author. In this case we inform the author, of course, about the situation.

No issues with specific target exploitation or destructive live hacks, links / IPS (censor it or don't send!)
Non-persistent vulnerabilities can just be published when the vendor's service is very famous!
No 2nd or 3rd party publication of advisories, videos, vulnerabilities & documents!
Bad or encrypted detailed vulnerabilities, papers, videos & advisories!
No publication of stolen, ripped or grabbed documents / advisories / vulnerabilities!
We are not interested in unknown scripts, software, applications or modules!

10. How does the Vulnerability-Lab create a secure communication layer between authors and companies?
The vulnerabilities will be sent encrypted to the manufacturers and can only be read by them. The manufacturers of a product or service receive a confidential e-mail which leads them to a special link in the Vulnerability-Lab. This link brings the manufacturers directly to the finished verified advisory. This gives them all the details to recognize the gap, to investigate and verify it for themselves. Thus the manufacturers can fix the vulnerability as soon as possible. Then the manufacturers can accept the vulnerability and this will allow us to publish it. If a manufacturer knows that he addresses the vulnerability in the next 4-6 months for special reasons, he can also publish the advisory in advance. This option is only for manufacturers who want to / must / should inform their clients before the patch / fix is available. We also follow a specific disclosure Policy.

11. Do you promote also other groups / teams / researchers?
We encourage other groups who think that they can uphold a certain monthly amount of vulnerabilities. This number of publications and advisories should be stable and verified or be tailored specifically to one product line. If you are interested in a long term, independent contribution as a team or a group, it is necessary that a certain level is maintained. We also like single researchers who are looking for a team or want to join a legal working group from the lab. Those who are interested can send an email to the following e-mail: admin@global-evolution.info

12. How can I contact the administrators of the Vulnerability-Lab?
Go to the contact page and select the admin email address. The link to the contact page is at the bottom of this page.

13. How can I contact the support team of the Vulnerability-Lab?
Send an email to the support team of Vulnerability-Lab. The email address can be found on the contact => support site. The link to the contact page is at the bottom of this page or write to support@vulnerability-lab.com

14. I am a vendor of a product. Where can I request more details of the vulnerabilities found in certain products?
Send an email to the admin team of Vulnerability-Lab. The email address can be found on the contact => admin site. The link to the contact page is at the bottom of this page or write to admin@vulnerability-lab.com

15. How can I find vulnerabilities from a certain author?
Click on the username of the requested author. After that the Vulnerability-Lab will display all vulnerabilities released by that author.

16. How can I find the vulnerabilities from a certain month?
Click on the date of one of the vulnerabilities of that month. (For example 2010-08-28 which will then display all vulnerabilities from month 8 (August) of the year 2010).

17. Where can I search for certain vulnerabilities?
Go to the search page. The link to this page is located at the bottom of the page. On this page enter cve/cwe/hl ID and start your search query.

18. I have a good idea to improve the Vulnerability-Lab. Which email address can I send my ideas to?
Contact the administrators of the Vulnerability-Lab at admin@vulnerability-lab.com

19. I would like to become a customer of the Vulnerability-Lab. How can I contact the lab to discuss the possibilities?
Contact the support team of the Vulnerability-Lab at admin@vulnerability-lab.com

20. I would like to have my products tested by the team of the V-Lab. Who can I contact to discuss the possibilities?
Contact the support team of the Vulnerability-Lab at support@vulnerability-lab.com

21. What kind of vulnerabilities does the Vulnerability-Lab accept and detect?

Cross Site Scripting (persistent) Vulnerabilities
Cross Site Request Forgery
Click-Jacking & Cam-Jacking
Unrestricted & unauthorized local / remote file include
Directory Traversal / Path Traversal
Authentication, Filter or Exception Bypass
SQL Injection & Blind SQL Injection
Input Validation Vulnerabilities (persistent / non-persistent)
Stack / Buffer / Heap / Integer / Unicode overflows
Local / Remote privilege escalation
Format Strings
Memory Corruption
Division / Divide by Zero Bugs
Pointer vulnerabilities (... Null Pointer, Access Violation, Read, Write)
Local / Remote command execution
Local / Remote code execution
Denial of Service & stable Firmware Freeze + Blocks

Information leaking & information disclosure
Weak algorythm, weak encryption & weak ciphers
Misconfiguration of OS, systems & applications
Structure & design errors / flows
Kernel panic / black & blue screens
Stable application- & software-crashes

If you have a vulnerability that doesn't belong to one of these categories or you are not sure, you may still submit it for a review and we will evaluate it for you.

22. Which products is Vulnerability-Lab mainly interested in?
The Vulnerability-Lab is mainly interested in vulnerabilities of the following products.

Most Used Software & Appliance /
Browser - Opera, Safari & Chrome, Internet Explorer
Mozilla Firefox & ThunderBird
Skype & other important VoiP Software
GPS & Tracking Applications
Encryption Software / Security Tools
Frameworks
Java / JRE
.NET
Ajax Frameworks
Famous Products & Applications
Citrix Appliance, Software & Services
Apple – MacOS , IPhone & IPOD
Oracle Software Products
PGP Security Suite
Apache Foundation: Jakarta/Tomcat / Apache Webserver
Cisco Software, Router OS
Microsoft ISA, ISS, Sharepoint Services
Microsoft Office Suite
Juniper Security Suite
Barracuda Security Suite
Operating-System
WinXP, Win2003,2008WS,Vista & Win7
FreeBSD, Slackware and OpenBSD
Fedora, Redhat, CentOS & ArchLinux
Debian, Ubuntu, SUSE(KDE) and MD
Solaris, Solaris10
IBM AIX

However, this does not mean that vulnerabilities which do not refer to these products will not be accepted. It only means that we are very interested in vulnerabilities in specific products, such as famous vendor software, applications and services, etc. (over 1000 customers / users).

23. What happens, if two vulnerability researchers submit the same vulnerability to be verified?
We examine both the submitted vulnerabilities and take them through the verification process. Then, the researcher of the earlier submission will be accepted. The documentation of the second researcher will be removed or may, after consultation with the first submitting researcher, be used as a reference in the main advisory. So people can still use the documentation of the second advisory. The time span of a double submission is approx. 2 - 4 weeks, any vulnerabilities submitted later can not be accepted for verification. So basically the earliest submitting researcher decides whether the link to the second advisory will be implemented.

24. How does Vulnerability-Lab protect the researchers?
When a researcher or analyst does not want to show his identity for references, IPS or press, he can get the status "N/A Anonymous". The Vulnerability-Lab will never disclose any details of researchers, analysts or members to public authorities, private agencies, companies or any other person. The Vulnerability-Lab will also never reveal sessions, IPS, e-mail addresses or locations. To protect the vulnerability-researcher, we have included an encrypted exchange method via Mail. Active researchers can easily send their encrypted material to be verified as new submitted vulnerabilities. To protect the authors, we also created a very good vulnerability discovery process. As long as a researcher follows the specific policy of publication, nobody will get in trouble with the law, because the research activity denies illegal actions. All submitted contents of destructive nature will directly be deleted without any abuse notification to the police or the government. We are not interested in storing hacks, sessions or any other illegal material.

25. Why are upcoming Advisories only viewable with restrictions?
Upcoming advisories are announcements of a vulnerability detection, a new document or a video. You can view the progress of the advisory publishment by checking the status indicator. The Upcoming section is located on the lefthand side in the bottom navigation bar.

26. How do I follow your mobile/public RSS Feed?
To follow our public feed we provide a twitter account for mobile phones, and monitoring feeds. Feel free to follow our new little twitter feed and enjoy the silence.

Feed URL: twitter.com/vuln_lab
Authors: Vulnerability-Laboratory

27. What details, resources, and data are provided on an advisory?
We provide the following details on our full zero-day advisories

Title: (Title of Advisory/Vulnerability)
======
Date: (Release Date of Advisory)
=====
References: (Reference Links - CWE/CVE ID)
===========
VL-ID: (Internal Vulnerability-Laboratory ID)
=====
Introduction: (Product/Service/Website description of vendor with source)
=============
Abstract: (Short abstract information about the Vulnerability/Advisory)
=========
Report-Timeline: (Impacts: Report Vulnerability;Vendor Notification;Vendor Response/Feedback;Vendor Fix/Patch;Public or Non-Public Disclosure)
================
Status: (Impacts: Pending on Laboratory; Verified by Laboratory; Accepted by Vendor; Published(Customer) or Published(Index)
========
Exploitation-Technique: (Remote or Local)
=======================
Severity: (Impacts: Critical Flag(red), Elevated Flag(orange), Medium Flag(yellow), Low Flag(green)
=========
Affected: (Version & Product Description)
=========
Details: (Technical Details & Location of the Vulnerability/Bug)
========
Proof of Concept: (PoC, Exploit, Reference Links or Step by Step Description)
=================
Solution: (Fix or Patch)
=========
Risk: (Risk level description of author)
=====
Credits: (Author of the security advisory)
========
Disclaimer: (Copyrights, Law & Information)
===========
Attachment: (Debug Logs, Dumps, Error logs, Exception Logs, PoC, Test Session Logs, Pictures & sometimes Docs or Vids.

28. How does the Role System work?

Role > Anonymous
Anonymous users can just view restricted details of the vulnerabilities/advisories in the Laboratory.

Role > Lab User
A lab user is a registered user in the Laboratory and can view all advisory details on the index.

Role > Customer:
Customers can view all provided details in the laboratory index and can access the customer area where specific commercial zero-day advisories are listed. Customers have all rights to use the advisories for their automatic notification, management, or IPS systems. We have two types of C-licenses: 1. view all content 2. Use and duplicate all content. On both of them we provide a single and a multi license.

Role > Manager
Managers can view all index listed advisories and can view/access the customer area. Manager accounts for trusted and stable researchers/exploiters/analysts. Managers have their own panel to implement new advisories to the vulnerability laboratory timeline.

Role > Administrator
The Administrators are controlling the service, implementing updates, and verifying advisories.

29. How can I see the complete details of the upcoming advisories?
You can not view all details because the advisories are viewable-restricted for users. These advisories will be released soon on the laboratory index site or on the customer section. The upcomings area needs to be protected because of the benefits policy, researcher & vendor protection, critical z0d issues & Co.

30. Why can I not register a Laboratory User account on the Startpage(Index)?
Unfortunately, we do not allow all people the full view of our vulnerabilities found in the Laboratory. Our program has five types of roles.
We only give out accounts to active researcher, analysts, developers, hackers, exploiters or groups.
By this method we try to provide a protection against people that want to use the vulnerability for illigal purpose.
The registration (no customer) can therefore only be made through the submission of a zero-day vulnerability. (submit[A|T]vulnerability-lab.com)

31. Does the V-Lab Team inform the vendor about every vulnerability?
We try to, but sometimes it is not possible because we get no response from a vendor/developer after trying some weeks/month.
We try our best to inform all vendors. Any Questions mail them to support[A|T]vulnerability-lab.com

32. BENEFITS!?
We provide you fair benefits using the Vulnerability Lab for the disclosure and vendor communication processes.
We charge 0% commission on the vendor's payment for vulnerabilities. The remaining 100% is your own payout.
Please note that the percentage distribution of the benefits is after taxes following European law.
We provide you with the vendor communication and verifications of the payment to ensure that you will have the complete overview about the transactions in addition to ensuring just and reasonable business for every partner.

Why 0% on the Laboratory startup ...?
We are working on a new & complete running benefit program for hackers, analysts & researchers of our laboratory.
We will release the new benefit program in the next weeks ... so feel free to get a full payout by the vendors.
What you send is what you get ;) so feel free to submit a zero-day vulnerability.

Publication of Vulnerability/Bug by Researcher or Analyst
Discovery Process
Initial Researcher Communication
Lab reports Advisory to Vendor
Vendor communications and Agreements
Vulnerability Verification Process
Payout - Prize, Award & Benefits

33. Requirements/information for partners?

Vulnerability Lab - Disclosure Partnership Program

Step 1: Allowing inclusion

Consent for inclusion in the Security Vulnerability Lab Products List & delivery of specific product names.

Step 2: Admission to product testing list

The appropriate application or software can be included in a special private list for product safety testing.

Step 3: Penetration tests, List & Publication

The list is only provided for approved/qualifier lab users and penetration testers. Our certified testers can search for vulnerabilities in its products. You can decide whether they require additional demo systems available to increase the hit rate. Our goal is the publication of (minimum) 1 product vulnerability per month.

Step 4: Disclosure Process for Partners

After the submission of a vulnerability, the advisory will be verified in the laboratory and moved through the processes [Pending on Laboratory] over [Verified by Laboratory] to [Accepted by Vendor]. The partnership ensures that the forwarding of security holes are only the product vendor/manufacturer. [View: Upcoming]

Step 5: Public disclosure?

The vendor has the choice if the vulnerability is made publicly after fixing. Normal procedure is that after a bug is fixed its made public. If for a reason a vender doesnt want the bug to be public the vendor has to give prior notice to the Vulnerability-Lab team. (Before the fix has been released) If a vendor chooses to not wanting the bug to be publicly made available the bug will only stay in the private area of the Vulnerability-Lab.

Step 6: Banner

A banner will be placed on our partner site in the laboratory. On our partner site are all the trusted partners or sponsors that the Vulnerability-Lab has. vulnerability-lab.com/partners Its also possible to exchange banners.

Step 7: Now wait ...

At this point the Vulnerability-Lab team and its researchers will try and find bugs in your programs/appliances/etc.