I should have been clearer. Researchers post SHA-1 hashes publicly (if they care). They send the actual details directly to the vendor. The vendors you care about publish PGP keys. The ones who don't can't really be trusted to handle security advisories anyways. No, really: they really do put them in their public bug databases!
What made the vulnarb.com idea interesting is that by combining the two actions: a safe public notice and a secure vendor communiation --- you could create a public clearinghouse that consumers can consult to see if (say) Google is holding back on disclosures.
The issue here is, you don't need an elaborate crypto scheme to do this. Tavis Ormandy doesn't have to post an encrypted bundle anywhere to notify the public that he has a new Microsoft bug. He can just say "I have a new Microsoft bug" on Twitter. Reputation is so compelling that really, nobody bothers even posting SHA-1 hashes anymore. If you work for a credible vuln research shop and you post a message saying you have a finding in Adobe Reader, you have it. Case closed.
Zed could build the aggregator for these reports if he wanted to. It would be valuable. But that's just data entry. Zed programs. I don't blame him. I program too. I wouldn't want to build that site either.
> Tavis Ormandy ... can just say "I have a new Microsoft bug" on Twitter.
You're right, but what about the nobodies that haven't built up a personal trophy case of exploitable bugs? vulnarb.com may be solving a problem that doesn't exist for people that are already at the top of the vulnerability researcher club, but as with any group of people, there are hundreds if not thousands of people that aren't known and don't care to be the "l33t" ones giving conference talks and swapping private keys with Schneier and Knuth.
This could be a gateway for those people, college students and unknown hackers from non-first world countries (the alleged comodo hacker types for instance), to responsibly and legitimately get into the field. If marketed right, vulnarb.com could be a perfect way to post these notices, without getting trolled to oblivion on F-D.
Sorry I deleted my comment just as you posted. Thanks for the explanation.
Here is the deleted comment:
How does a vendor go from said SHA-1 hash to what the vulnerability is?
I saw this as a rough draft for a way to easily publish vulnerabilities without letting the public view them but still letting the vendor have all the information.
What made the vulnarb.com idea interesting is that by combining the two actions: a safe public notice and a secure vendor communiation --- you could create a public clearinghouse that consumers can consult to see if (say) Google is holding back on disclosures.
The issue here is, you don't need an elaborate crypto scheme to do this. Tavis Ormandy doesn't have to post an encrypted bundle anywhere to notify the public that he has a new Microsoft bug. He can just say "I have a new Microsoft bug" on Twitter. Reputation is so compelling that really, nobody bothers even posting SHA-1 hashes anymore. If you work for a credible vuln research shop and you post a message saying you have a finding in Adobe Reader, you have it. Case closed.
Zed could build the aggregator for these reports if he wanted to. It would be valuable. But that's just data entry. Zed programs. I don't blame him. I program too. I wouldn't want to build that site either.