Webantix

What is upSploit?

upSploit is a free service to the IT security industry to enable vulnerability and exploit advisories to be distributed between the founder, vendor and other security professionals easily. This Vulnerability Advisory Gateway (VAG) should break down the barriers for security researchers and professionals to pass details of vulnerabilities to vendors in a structured easy to follow process.

How does upSploit work?

upSploit consists of two sections. The first is public where you can search and view published advisories and also read more information about the project. The second is for the registered members where they will be able to either upload their existing advisory or, if unsure how to write one, can automatically generate an advisory by using our online advisory wizard form.

Once these details have been uploaded upSploit automatically then pass on the information to the correct vendor and arranges for a patch to be released.

Once this occurs the user can then choose which mailing lists and databases to submit their advisories to.

Why use upSploit?

With a number of options to the security professional regarding disclosure of vulnerabilities we are trying to create a process that will provide a natural balance for both vendor and security researcher.

A place where both vendor and security professional are equal, this is why we have put together a responsible disclosure policy. We will contact the vendor a number of times over a set period to try and arrange a patch date and then publish the advisory. If this time is exceeded we will then publish the advisory to the community, although this circumstance is decided on a case-by-case basis.

We have given the security professional the control to decide where each of their advisories is sent. If the user doesn’t want to upload to a particular mailing list or database then they don’t have to, if they want it to be anonymous it will not show up in their public profile.

How is this different to any other database or mailing list?

The service isn’t just a database. It provides the user with so much more. The main point of upSploit is that it distributes the advisory to the vendor and other databases and mailing lists. It does the job that otherwise can take the user hours to do themselves. After the advisory has been published we will then show all of our advisories in a usual manner for future analysis and historical reference.

Dates for the calendar

There are three stages to upSploit development plan and the dates are as follows:

19th July – 2 August 2010 –> Alpha Stage

2nd August – 6 September 2010 –> Beta Stage

6th September 2010 –> Version 1

These dates are not set in stone, however are no likely to change.

We are now currently opening our doors to three types of people, listed below:

Alpha Testers

Beta Testers

Sponsors

Alpha Testers are needed to find vulnerabilities and bugs within the service i.e. we are looking for web application assessments and testing.

Beta Testers are needed to actually use the service i.e. we need people who are actively finding vulnerabilities and exploits and contacting vendors.

Sponsors are needed to help support the development of the project. The hope is that upSploit is going to be used by a lot of people and by sponsoring upSploit your logo will be found on main page attracting views from those people.

To apply as any or all of the above please email the upSploit team at info@upsploit.com with your name and information on why you want to be an alpha/beta tester or sponsor.

Thomas Mackenzie & Duncan Alderson