Vulnerability analysis at the CERT Coordination Center (CERT/CC) consists of a variety of efforts, with primary focus on coordinating vulnerability disclosure and developing vulnerability discovery tools and techniques. Publicly available resources include:
- Vulnerability Notes
- Coordination and disclosure guidance for security and vendors.
- Vulnerability Reporting Form. Please be familiar with the guidelines before reporting.
- Tools. Open source vulnerability discovery and analysis tools.
- CERT BFF - Basic Fuzzing Framework — The CERT Basic Fuzzing Framework (BFF) is a software testing tool that finds defects in applications that run on the Linux and Mac OS X platforms. BFF performs mutational fuzzing on software that consumes file input.
- CERT FOE - Failure Observation Engine — The CERT Failure Observation Engine (FOE) is a software testing tool that finds defects in applications that run on the Windows platform. FOE performs mutational fuzzing on software that consumes file input.
- CERT Tapioca — CERT Tapioca is a network-layer man-in-the-middle (MITM) proxy VM that is based on UbuFuzz and is preloaded with mitmproxy http://mitmproxy.org/. CERT Tapioca is available in OVA format, which should be compatible with a range of virtualization products, including VMware, VirtualBox, and others.
- CERT Triage Tools — The CERT Triage Tools project has been transitioned to the GDB 'exploitable' plugin https://github.com/jfoote/exploitable project on GitHub.
- CERT Vulnerability Data Archive and Tools — The CERT Vulnerability Data Archive contains nearly all of the non-sensitive vulnerability data collected by the CERT/CC, from the inception of the vulnerability notes database (approximately May 1998) to the date the archive was prepared, as noted above in the Change Log.
- Dranzer — Dranzer is a tool that enables users to examine effective techniques for fuzz testing ActiveX controls.
The latest CERT/CC PGP key is always available on the cert.org website. Our current key has key ID 0x236C3502.