9 9




                       Framework and Application-



                                      Specific Vulnerabilities





            Identifying a framework or application-specific vulnerability, including Known
            Component Vulnerabilities (identified by their CVE designation, which we'll discuss later),
            is a tricky business.

            It's a universal stipulation of bug bounty programs that companies don't reward the same
            vulnerability twicebthe first researcher to disclose a vulnerability is the only one that's
            rewarded. This goes hand in hand with the fact that companies usually won't reward
            already publicly disclosed bugs within two weeks of the discovery of the original zero-day
            (like everyone, they need time to deploy a patch), and they aren't interested in vendor-level
            vulnerabilities in third-party libraries. This might seem like a waste of time, then, except if
            we take two important points into consideration.

            The cost of adoption is low. Since known component vulnerabilities are, well, known, it's
            much easier to build a tool to reliably find them, as opposed to less defined weaknesses in
            the architecture or logic of an application that require stepping through a UI manually. As
            with our example with Retire.js in $IBQUFS  , Preparing for an Engagement, where we built a
            short set of scripts for detecting and reporting on client-side vulnerabilities in things like
            insecure jQuery libraries, it's a lightweight step that can be incorporated into any
            environment where we have access to the client-side source.
            Understanding security posture is important. The term security posture is shorthand for the
            general capability of an application or network to prevent, detect, and respond to attacks. If
            you open up your diagnostic tools and see right away that there are several critical reported
            vulnerabilities in either the framework, language version, or a vendor service, that can tell
            you a lot about the security practices at that company. If so many low-hanging fruit are
            within reach, is their bounty program still young? Do they have an established policy for
            security life cycle management? If there's a path to an attack scenario from the discovered
            vulnerabilitiesbgreat!bbut even if that's not the case, the information is valuable, for what
            it telegraphs might be lurking just beneath the surface.