Xanda's Blog !~!

New Project / Hobby :: Hunting / Collecting 0day in Ethical Way

Jun
14

Maybe you’ve heard about iDefense Lab and Zero Day Initiative before.. If no, please stop reading the rest of this entry bacause you might not understand what I’m tryin’ to say.

Yes I’m trying to establish something similar to iDefense Lab and Zero Day Initiative but the difference is, I’m not gonna sell the bugs and PoC. And.. No exploit will be released to the public as well. To me, it is all about fun and ethical.

Personally I’ve found a few 0days during my Uni time & working time

  • 2007 – Local Uni’s web apps – [dah kantoi]
  • 2007 – Local Uni’s web apps – [dah kantoi]
  • 2008 – Friend’s CMS (blog) – [dah kantoi]
  • 2008 – Friend’s CMS (fyp) – [dah alert admin & dah kantoi]
  • 2009 – Famous hypermarket’s web apps – [dah alert admin]
  • 2009 – Big local company’s web apps – [dah alert admin]
  • 2009 – Foreign Uni (faculty) web apps – [hurm… :D]
  • 2009 – Local Uni (faculty) web apps – [dah alert admin]

All bugs I’ve found in 2007 & 2008 have been abused by me but starting in 2009, the vulnerabilities found have been informed to the developer/admin for further action.

Starting from next 2 weeks, I’m going to hunt more 0days in a proactive manner and in ethical way. My area of interest will be the web applications. Alert will be sent to the vendor and general advisories will be released to the public. ‘Hunting’ is not the problem now, but ‘trademark’, timeline, alerting and advisories are the current issues for me.. I’m going to consult one of the oldtimer in this area next week to seek for his advice.

Good luck to me. Till next time..

[updated]

My colleague in UIA inform me that he wants to be part of the project and gonna focus in modules/components. Thanks mate