History of Vulnerability Disclosure

Description
Artifacts
Essays

This group offers an overview on the history of vulnerability disclosure. For now, this group has an americanocentric bias that we will try to fix with time.

It gathers some documents (or "artifacts") that we have collected and that are part of the material we use to analyze bug bounties history in our ongoing research.

You can as well see all this documents on the History of Vulnerability Disclosure Timeline.

We welcome your comments and opinions about the timeline and any of its contents. To interact with the timeline or a particular document you need to register on this plateform (register form is accessible on the homepage up right). If you want to suggest us to add some new materials or if you are insterested to reach us and know more about our ongoing research, please send us an email: david.bozzini@unifr.ch

Wolf Hill Group’s Exclusive Interview with Scott Chasin, Information Security Pioneer And Serial Entrepreneur
VCP Reward Programs (iDefense)
iDEFENSE Labs Website Launch
Ranum Keynote Slides (Black Hat Conference 2000)
Script Kiddiez Suck: V2.0 (Ranum on his keynote)
Vulnerabilities Equities Policy and Process for the United States Government
Government's Role in Vulnerability Disclosure (Harvard - Belfer Center)
The four problems with the US government's latest rulebook on security bug disclosures (The Register)
OWASP Top 10 - 2017
The Legitimate Vulnerability Market: Inside the Secretive World of 0-day Exploit Sales (Miller article)
Emerging Economic Models for Vulnerability Research (Nagle and Sutton paper)
Trojan Source: Invisible Vulnerabilities (Boucher and Anderson article)
‘Trojan Source’ Bug Threatens the Security of All Code (Krebs on Security)
'Nothing's Going to Last Forever': An Oral History of the LØpht (Part Four- Fisher paper)
Thirty Minutes Or Less: An Oral History of the LØpht, Part Three
‘Microsoft Was Freaking Out‘: An Oral History of the LØpht -Part Two - Fisher Paper)
‘We Got to Be Cool About This‘: An Oral History of the L0pht (Part One - Fisher paper)
'Drive It Like You Stole It': When Bug Bounties Went Boom (Part Three - Fisher paper)
Uprising in the Valley: When Bug Bounties Went Boom (Part Two - Fisher paper)
Lawyers, Bugs, and Money: When Bug Bounties Went Boom (Part One - Fisher paper)
Windows of Vulnerability: A Case Study Analysis (IEEE paper)
VeriSign iDefense offers US$48,000 for Vista, Internet Explorer 7 vulnerabilities (Chickowski paper)
Quarterly Vulnerability Challenge (iDefense Labs)
Motives of Code Red Bug Hunters Questioned (PC World paper)
HP, Bug-Hunters Declare Truce (PC World paper)
Master-Keyed Lock Vulnerability (AT&T Labs)
iDefense
Is the iDefense challenge worth it? (Chickowski paper)
iDefense Press Release 2006/02/10
Full Disclosure: How Much Security Info Is Too Much? (Lyman article)
Forget Disclosure — Hackers Should Keep Security Holes to Themselves (WIRED Article)
Full Disclosure is a necessary evil - Elias Levy
A Method for Web Security Policies draft-foudil-securitytxt-06 - Foudil and Shafranovich Draft
Die Hacker Bibel - Chaos Computer Club (Second Edition : Das neue Testament)
Die Hacker Bibel - Chaos Computer Club (First Edition : Kabelsalat ist gesund)
Coordinated Vulnerability Disclosure at Microsoft
Kerckhoffs - La cryptographie militaire (Part Two)
Kerckhoffs - La cryptographie militaire (Part One)
Software Vulnerabilities: Full-, Responsible-, and Non-Disclosure - (Cencini, Yu and Chan publication)
Bug Bounty Programs Are Being Used to Buy Silence - Schneier Post
Beyond HOPE Hacks into Big Time (WIRED article)
The CERT Guide to Coordinated Vulnerability Disclosure
Schneier - Cypto-Gram July 15, 2000
Apple Bug Bounty program
Three iOS 0-days revealed by researcher frustrated with Apple’s bug bounty
Apple pays hackers six figures to find bugs in its software. Then it sits on their findings.
Apple AirTag Bug Enables ‘Good Samaritan’ Attack
Remote print server gives anyone Windows admin privileges on a PC
Microsoft Exchange servers are getting hacked via ProxyShell exploits
Cryptographic platform PolyNetwork rewards hackers who stole $ 610 million with a $ 500,000 bug bounty
TikTok Is Removing Educational Hacking Videos
Steven Levy - Hackers Heroes of the Computer Revolution - 2010
The CERT/CC Vulnerability Disclosure Policy
Ultimate Guide to disclosure - 2021 (Bugcrowd)
Microsoft's Responsible Vulnerability Disclosure, The New Non-Issue
Announcing Coordinated Vulnerability Disclosure (Microsoft)
The Telltale Text File: Security Researcher Proposes Standardization for Reporting Vulnerabilities (on Security.txt)
Security.txt Standard Proposed, Similar to Robots.txt
Security.txt
Update on the CERT Guide to Coordinated Vulnerability Disclosure (2019)
FIRST updates guidelines for multi-party vulnerability disclosure (Haworth Paper)
FIRST Guidelines and Practices for Multi-Party Vulnerability Coordination and Disclosure Version 1.1 2020
Guidelines and Practices for Multi-Party Vulnerability Coordination Open to Review (on FIRST Guidelines)
FIRST Vulnerability Disclosure Guidelines
Vulnerability Disclosure FAQ (Project Zero)
Project Zero Policy and Disclosure: 2021 Edition
Geer Keynote at Black Hat 2014 - Cybersecurity as Realpolitik (transcription)
Black Hat 2014 Keynote: Cybersecurity as Realpolitik (on Geer Keynote)
Geer Keynote
Google Project Zero
Guide for how to handle vulnerability reports (on ISO/IEC 29147:2014)
ISO/IEC 29147:2014
Filling A Gap In the Vulnerability Market – First Bounty Notification (Microsoft)
Microsoft Vulnerability Research Advisories
Coordinated Vulnerability Disclosure Reloaded (Microsoft)
Coordinated Vulnerability Disclosure: From Philosophy to Practice (Microsoft)
Microsoft Vulnerability Disclosure
Google Ups the Bug Bounty Ante to $3133.7 (Threat post)
Google to Pay For Bugs Found in Chromium (Threat post)
Google Vulnerability Report
OIS
IETF
MS says stop discussing hack exploits - Leyden paper
Culp Debate
Ranum Keynote debate
Schneier - Crypto-Gram August 15, 1999
Back Orifice
ImageShack hacked in oddball security protest (anti-sec movement)
AntiSec Policy
AntiSecurity Presentation
Anti-Sec Movement
L0pht - Wikipedia
Into the Breach - Ferdin
Whacked Mac collection CD (L0pht)
L0pht Advisory: release of L0phtCrack for NT (Bugtraq archive)
L0pht
Full Disclosure works, here's proof - Bugtraq archives
Bugtraq archives
Cert CC
Bugtraq Mailing List - Archives
Bugtraq
Underground: Tales of Hacking, Madness and Obsession on the Electronic Frontier
Böck - Der ungeklärte Btx-Hack
BTX-Hack - Wikipedia
BTX-Hack
Schneier publications
Interview with Dan Farmer (;login:)
Improving the Security of Your Site by Breaking Into it
Anti security "policy" v0.9
The beginner's Guide to Bug Bounty programs (HackerOne)
The 2021 Hacker Report (HackerOne)
The 2020 Hacker report (HackerOne)
Ultimate guide to Vulnerability disclosure - 2021 (Bugcrowd)
A New Decade in Crowdsourced Security (Bugcrowd's Priority One Report)
The Hacker powered security Report 2019 (HackerOne)
Wannacry Ransomware
Intigriti bug bounty
Apple bug bounty
United Airlines bug bounty
YesWeHack bug bounty
HackerOne bug bounty
Facebook bug bounty
Bugcrowd bug bounty
Mozilla Bumps Bug Bounty to $3,000
Mozilla bug bounty
Vista contest offers cash for exploits (itnews paper)
iDefense Bug bounty
RSAC 2021 Keynote: The Cryptographers' Panel
Deconstructing the myths behind the full-disclosure debate (Shepherd paper)
Deconstructing the myths behind the full-disclosure debate (Heiser 2001)
Three Minutes With Security Expert Bruce Schneier (PCWorld paper)
RFP Policy
Interview with Rain Forest Puppy (by Parata)
Three Minutes with Rain Forest Puppy (RFP interview by Zetter)
Black Hat 2000 - Ranum and Granick VS Rausch and Amhed
L0pht testimony before the Congress (United States Senate Committee on Governmental Affairs)
Fortinet slams Rapid7 for disclosing vulnerability before end of their 90-day window
AWS BugBust
Google Open Source Vulnerabilities (OSV)
Amazon bug bounty
disclose.io
Atlantic Council - It takes a village: How hacktivity can save your company
ENISA Report - Economics of Vulnerability Disclosure
FIRST Guidelines and Practices for Multi-Party Vulnerability Coordination and Disclosure
A File Format to Aid in Security Vulnerability Disclosure (Security.txt)
CERT Guide to Coordinated Vulnerability Disclosure announcement
US Vulnerabilities Equities Process (Fact Sheet)
DOJ: Framework for a Vulnerability Disclosure Program for Online Systems
ENISA - Good Practice Guide on Vulnerability Disclosure
A Call for Better Coordinated Vulnerability Disclosure (Microsoft and Google Project Zero)
Geer Keynote at Black Hat 2014 - Cybersecurity as Realpolitik
FIRST Vulnerability Coordination SIG
Open Source Vulnerability Disclosure Framework
Meet 'Project Zero,' Google's Secret Team of Bug-Hunting Hackers
Heartbleed Website
ISO/IEC 29147:2014
Heart of Blue Gold – Announcing New Bounty Programs (Microsoft)
Microsoft Says No to Paying Bug Bounties (Fisher paper)
Coordinated Vulnerability Disclosure: Bringing Balance to the Force (Microsoft)
Google Project Zero
Google 7-days disclosure
Rebooting Responsible Disclosure: a focus on protecting and users
Google Security Reward - 2015 Year in Review
No more free bugs for software vendors (Fisher paper)
Threat Complexity Requires New Levels of Collaboration - Stone and Moussouris on the creation of MSVR
How long can a Mac survive the hacker Jungle ? (on PWN to OWN contest)
THE PRICE OF RESTRICTING VULNERABILITY PUBLICATIONS (Granick Article)
Creation of ZDI
NIAC VULNERABILITY DISCLOSURE FRAMEWORK
How do we define Responsible Disclosure? - Shepherd
Exploit Code on Trial (Poulsen paper)
Schneier - Crypto-Gram February 15, 2003
Open Source Vulnerability DataBase (OSVDB)
Full Disclosure mailing list - Archives
WEIS Workshop (Berkeley university)
Full Disclosure of Vulnerabilities – pros/cons and fake arguments (Vidstrom paper)
The realities of Disclosure : Morgenstern and Parker on Christey and Wysopal failure
'Responsible Disclosure' Draft Could Have Legal Muscle - Rasch on Christey and Wysopal draft
It's time to be responsible (Morgenstern, Parker and Hardy paper)
Responsible Vulnerability Disclosure Process - draft-christey-wysopal-vuln-disclosure-00.txt
Security Through Obscurity Considered Dangerous - Bellovin and Bush
Guidelines for Security Vulnerability Reporting and Response (Version 2.0) - OIS
Microsoft Reveals Anti-Disclosure Plan (Poulsen paper)
"MS throttles research to conceal SW bugs" (Greene paper)
MS to force IT-security censorship (Greene paper)
Toward the development of industry standards for security vulnerability handling - OIS objectives
Security and IT Industry Leaders Form Organization for Internet Safety - Creation of OIS
ACM: Digital Library: Computers and Society - Bollinger paper
Schneier - Crypto-Gram March 15, 2002
Schneier - Crypto-Gram November 15, 2001
Security woes: Who is to blame? - Culp interview
NEOHAPSIS - LeBlanc reaction on Culp essay
Keeping Security Issues in the Open - Davies reaction on Culp essay
Peace of Mind Through Integrity and Insight - Manzuik reaction on Culp essay
Security in an Open Electronic Society - Levy reaction on Culp essay
Information Anarchy: The Blame Game? - Edwards reaction on Culp essay
A Step Towards Information Anarchy: A Call To Arms - hellNbak
Culp - It's time to end information anarchy
Hobbs, Rudimentary Treatise on the Construction of Locks
Interview with Elias Levy (Bugtraq)
CERT to disclose software flaws - Lemos paper
CERT/CC Overview
Schneier - Crypto-Gram September 15, 2000
Schneier Keynote Speech at the US Black Hat Conference
Anti-hacking method of full disclosure under attack from a part of the security industry - McClure and Scambray
Do security holes demand full disclosure? - Pond answer to Ranum's Keynote
Silence the best security policy - Lemos on Ranum's keynote
Ranum Keynote speech at the US Black Hat conference
Hug a hacker, before they go underground (Sydney Morning Herald newspaper)
Schneier - Crypto-gram January 15, 2000
;LOGIN: SPECIAL ISSUE ON SECURITY
History of CVE
Nomad Mobile Research Centre (NMRC) - Announcement
White-Hat Hate Crimes on the Rise (Wired Paper)
Ant-Sec - We are going to terminate Hackforums.net and Milw0rm.com - New Apache 0-day exploit uncovered
Hacker Group Says Program Can Exploit Microsoft Security Hole (NY Times)
Hackers keep the heat on Windows NT security (L0pht)
What SATAN is
Netscape Announces "Netscape Bugs Bounty" with release of Netscape Navigator 2.0 Beta
Improving the Security of Your Site by Breaking Into it
Bugtraq mailing list - Wikipedia
Schneier - Crypto-Gram February 15, 2000
Zardoz (computer security)
The Cuckoo's Egg, book written by Clifford Stoll
Borchers Detlef - Bankraub per Telefon (on BTX-Hack)
Kerchoff crypto principle - Wikipedia