Welcome back to CerberusSec. We were a little late for our second blog post because we have a lot going on. What we’d like to talk about this month are difficulties that face any small organization that is attempting to enter the security industry. These are rarely-discussed issues, and we will examine how these issues came around to exist in the first place.
When reporting a vulnerability with the exact same level of material as say a Google advisory, many CNAs will require you to go through extra hoops to prove the validity of your vulnerability, rather than do the investigation themselves. If you’re a small research group, you may as well go the entire distance of writing a PoC exploit, because otherwise your report is ignored and given no credit. This makes entrance into these groups difficult, because you have to have both the skillset to discover vulnerabilities, and the skillsets to develop exploits. Speaking of credit, many organizations only provide bounties to previously known researchers to that organization. Common sense would then say ‘well then throw the CNA a small vulnerability and save the big one you’ve found for a bounty’. As previously stated, unless you have something truly substantial you need to go through extra hoops to even be considered by these CNAs, so you’ll need to give them your best just to get in the door.
We’re very interested in working with reverse engineering and exploit development. You can expect us to post some information about our progress and discoveries in that particular arena soon. We’d like to be able to do something similar to this blogpost: https://www.corelan.be/index.php/2013/02/26/root-cause-analysis-memory-corruption-vulnerabilities/ in the near future with one of our discoveries. Additionally we’d like to compare the reverse engineering process between macOS and Windows in a separate blog post.