Skip to end of metadata
Go to start of metadata

Vulnerability analysis at the CERT Coordination Center (CERT/CC) consists of a variety of efforts, with primary focus on coordinating vulnerability disclosure and developing vulnerability discovery tools and techniques. Publicly available resources include:

  • Vulnerability Notes
  • Coordination and disclosure guidance for security researchers and vendors.
  • Vulnerability Reporting Form. Please be familiar with the guidelines before reporting.
  • Tools. Open source vulnerability discovery and analysis tools.
      • CERT BFF - Basic Fuzzing FrameworkThe CERT Basic Fuzzing Framework (BFF) is a software testing tool that finds defects in applications that run on the Linux and Mac OS X platforms. BFF performs mutational fuzzing on software that consumes file input.
      • CERT FOE - Failure Observation EngineThe CERT Failure Observation Engine (FOE) is a software testing tool that finds defects in applications that run on the Windows platform. FOE performs mutational fuzzing on software that consumes file input.
      • CERT TapiocaCERT Tapioca is a network-layer man-in-the-middle (MITM) proxy VM that is based on UbuFuzz and is preloaded with mitmproxy http://mitmproxy.org/. CERT Tapioca is available in OVA format, which should be compatible with a range of virtualization products, including VMware, VirtualBox, and others.
      • CERT Triage ToolsThe CERT Triage Tools project has been transitioned to the GDB 'exploitable' plugin https://github.com/jfoote/exploitable project on GitHub.
      • CERT Vulnerability Data Archive and ToolsThe CERT Vulnerability Data Archive contains nearly all of the non-sensitive vulnerability data collected by the CERT/CC, from the inception of the vulnerability notes database (approximately May 1998) to the date the archive was prepared, as noted above in the Change Log.
      • DranzerDranzer is a tool that enables users to examine effective techniques for fuzz testing ActiveX controls.

The latest CERT/CC PGP key is always available on the cert.org website.

  • No labels