FrSIRT stops distributing free exploit code

A prominent French security company has stopped distributing exploit code to the general public -- a move that should come as a relief to many software vendors.

FrSIRT, formerly called K-Otik, and its parent company A.D. Consulting offer security consulting services, as well as a database recording software vulnerabilities. But the site also goes a step further, and publishes code exploiting those vulnerabilities, to the chagrin of some vendors, who charge that such practices verge on the irresponsible.

However, the firm has now pulled its database of exploit code into a paid service called FrSIRT Vulnerability Notification Service (FrSIRT VNS). The vulnerabilities database is still publicly available.

The VNS offers 24/7 notification services and incident response, according to FrSIRT, with notifications via a customizable web-based interface and email. FrSIRT claims to monitor 50,000 product versions. FrSIRT VNS also offers an online vulnerability scanner to identify vulnerabilities on a system. The basic service allows for one user, with a premium "VNS+" service supporting five or more users.

The three-year-old company has been active in its support of a "full disclosure" agenda since its formation, arguing that this leads to more secure products. Its corporate policy states that FrSIRT will "publish all the technical details of (a new vulnerability)... at the time of its discovery".

This is a more extreme view than that taken by other firms, which often keep bugs completely under wraps until they have been patched. Some firms, such as Verisign's iDefense, notify the public that there will be a vulnerability disclosed, but don't give details until a patch has been released.

FrSIRT argues its policy helps to "ensure IT security and to encourage vendors to quickly develop solutions and corrective measures for security problems".

However, security researchers are finding a growing market for selling exploit research, rather than publishing it to the general public. TippingPoint and iDefense are among those who offer payment for such research; last year an exploit for Microsoft Excel notoriously went on sale on eBay.

Until recently, the notorious hacker holy_father offered a paid version of his rootkit, Hacker Defender, with regular updates designed to fool security software.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Matthew Broersma

Techworld.com
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?