Guardians of the Digital Realm: Celebrating 400 Advisories and Responsible Disclosure

news

The SEC Consult Vulnerability Lab has been a player in the top league of IT security research for twenty years, tirelessly identifying 0-day vulnerabilities and disclosing them responsibly.

Launched in the year 2003, in the early days of the Internet's widespread adoption, the Lab's mission was clear:  

To make the digital world safer for all.

And what a journey it has been! 

The first part of this blog post series honours the contributors of the past two decades of the SEC Consult Vulnerability Lab whereas the second, upcoming part is a more critical reflection on our experience with responsible disclosure, e.g., regarding non-responsive vendors, patches taking multiple years, legal threats and open questions and wishes for the future. 

Both blog posts were written by Johannes Greil, Head of SEC Consult Vulnerability Lab. 

20 years SEC Consult Vulnerability Lab 

The role of ethical hackers has become increasingly important in the ever-evolving world of IT security. These guardians of the digital realm tirelessly probe for vulnerabilities, expose weaknesses, and serve as the unsung heroes of our connected age. 

It all started in a small, shared office space in Vienna, Austria in 2002. There were only a handful of IT security specialists in the newly founded security consulting company “SEC Consult”, but the company grew fast into an internationally renowned business. It became apparent quite quickly, that the company’s mission to protect customers’ information assets and make the world a safer place through commitment, expertise, and innovation, could only be achieved by constantly improving ourselves. 

One of the possibilities to achieve our goals of being better than world-class, is to nurture a culture of learning and building up knowledge. It was decided that we should also make our findings available to the world, as everyone would profit from the research publications in the same way as we benefit from others in the security community.  

The SEC Consult Vulnerability Lab was born.

We started publishing security advisories as early as 2003. Soon, we saw the need for responsible disclosure – at that time full disclosure and sending 0-days to BugTraq or other mailing lists was rather common. Ultimately, we want our customers to be able to patch or reconfigure their systems in a timely manner, provide proof of concept material to the community, or strengthen the detection mechanisms for defenders. 

Throughout the past two decades, the Lab has built up a remarkable record of achievements, raising our advisory counter to over 400 published security advisories and even more interactions with vendors. Similarly, an additional three-digit number of advisories with 0-days that could not be made public for a variety of reasons. Many interesting technical blog posts, proof of concept videos, Pwnie award nominations and winnings, multiple talks at conferences such as Black Hat or Hack in the Box, published open source tools, or media articles can be added to the success of the SEC Consult Vulnerability Lab. 

But what is the Vulnerability Lab? It is comprised of all our employees who contribute to every publication in one way or another. 

It could not have been possible without the first employees and back then CTO Martin Eiszner and now Google red teamer and senior staff manager Daniel Fabian, eagerly pushing out the first advisories. I also want to thank so many more colleagues I am proud to have worked for in the past decades.  

The following overview contains all past and current researchers at SEC Consult who have published a security advisory or blog post, and many more who did not wish to be named in our public security advisories (the order is based on the year and is therefore somewhat random): 

Martin Eiszner Daniel Fabian Johannes Greil Bernhard Müller Thomas Kerbl lofi42 Clemens Kolbitsch Sylvester Keil Gerhard Wagner Stefan Streichsbier David Matscheko L.Weichselbaum Michael Kirchner Kestutis Gudinavicius Elisabeth Demeter Miroslav Lučinskij Povilas Tumenas Stefan Viehböck Florian Lukavsky V.Paulikas C.Schwarz Bernhard Schildendorfer Johannes Dahse Andreas Nusser A.Antukh S.Temnikov Wolfgang Ettlinger M.Heinzl Andreas Falkenberg T.Lazauninkas R.Giruckas A.Kolmann A.Baranov Manuel Hofer B.Kopp C.Kudera Stefan Riegler C.A.Valentin Habsburg-Lothringen Mindaugas Liudavicius René Freingruber P.Morimoto J.Krautwald M.Niederwieser Daniel Schwarz Thomas Weber Samandeep Singh Siddhartha Tripathy Mingshuo Li Raschin Tavakoli M.von Dach A.Nochvay Werner Schober Matthias Klinski Daniel Ostovary Mantas Juskauskas Roman Ferdigg Malte Batram M.Tomaselli Johannes Moritz Jean-Benjamin Rousseau Thongchai Silpavarangkura Sabine Degen Marius Schwarz N.Rai-Ngoen Mathias Frank Ahmad Ramadhan Amizudin Fikri Fadzil Wan Ikram Jasveer Singh David Haintz Guillaume Crouquet Andreas Kolbeck Ting Meng Yean Thanaphon Soo Florian Lienhart Aida Mynzhasova Marc Nimmerrichter Steffen Robertz Markus Koplin Tamas Jos T.Serafin Gerhard Hechenberger Stefan Michlits Daniel Teuchert Calvin Phang Ying Shen Khalil Bijjou Farhan Rahman Azrul Ikhwan Zulkifli Eneko Cruz Elejalde Philipp Espernberger Johannes Kruchem C.Svoboda Nik Ramadhan Nik Idris Anastasia Melnikova Mohd Ali Ramlan Jaafar Sham Maskan Armin Stock Daniel Teo Ian Chong Oualid Lkhaouni Sutthiwat Panithansuwan Oliver Boehlk Moritz Friedmann Natsasit Jirathammanuwat Yew Chung Cheah Fabian Hagg Anna Hartig Constantin Schwarz Niklas Schilling Michael Baer Timon Vogel Hrvoje Filakovic Daniel Hirschberger Timo Longin Alexander Meier Sandro Einfeldt D.Zalmanov A.Vodyasov A.Ovsyannikova Armin Weihbold Stefan Michlits Gorazd Jank Paul Serban Fabian Densborn Bernhard Gründling Christian Hager Constantin Schieber-Knoebl Heiner Liesegang Florian Roth Marius Bartholdy Lukas Donaubauer Leonard Eschenbaum Angelo Violetti Tobias Friese Yuri Gbur Sven Bernhard

Take a closer look:

Publishing security research and advisories is a quadruple win for our stakeholders. The vendors get a quality improvement, SEC Consult customers do not need to bother with vendor coordination and communication, we as a company get some marketing material, and our team gets the CVE (Common Vulnerabilities and Exposure) numbers and deeper expert knowledge. 

Yet, it would be remiss not to recognize the hurdles and challenges that have punctuated this journey. Responsible disclosure, a principle at the core of ethical hacking, has not always received the warm embrace it deserves. Our upcoming blog will dig deeper into our experience with responsible disclosure and different types of more or less security-aware vendors. 

Are you interested in working at SEC Consult?

SEC Consult is always searching for talented security professionals to work in our team.
More Information

Latest Research from the Vulnerability Lab

About the author

Johannes Greil
SEC Consult Group
Head of SEC Consult Vulnerability Lab | Team Lead

With nearly 20 years of experience, he is responsible for all the inner workings of the SEC Consult Vulnerability Lab, tirelessly managing all the cogs in the background, and ensures as a team lead, that everything keeps running smoothly within the team.

Back