GRIMM announced the launch of the company’s new Private Vulnerability Disclosure (PVD) program. This offering allows defenders to get ahead of the attack curve, instead of reacting to unknown threats, by providing previously unknown vulnerabilities.
Subscribers will have access to a stream of high-impact vulnerabilities from GRIMM’s internal research team. Release timing will be at least two weeks before the vulnerabilities are publicly known, allowing partners to defend themselves before most attackers are aware of the vulnerability/vulnerabilities.
Each PVD release will include:
- Full technical details of the vulnerabilities and affected systems
- Instructions on how to quickly mitigate
- Any indicators of compromise (such as log messages) to speed detection
It also includes proof-of-concept exploit, which provides:
- Verification that specific configurations are (or are not) vulnerable
- Assessment of defenses to determine true effectiveness
- Documentation illustrating how the attack works, enabling
- Blue teams to write robust mitigations and detections
- Red teams to improve skills on the art of exploitation
Because the releases contain only high-impact vulnerabilities, a user’s inbox will not be filled with low-risk or insignificant issues. This means engineers will not waste resources looking into minor issues; rather, resources may focus efforts on the most pressing of challenges.
The security research is done entirely by GRIMM’s internal PVD team. The GRIMM PVD team has decades of experience in the most sensitive environments.
Research targets are selected based on extensive threat modeling and our team’s deep background in reverse engineering and vulnerability research.
Because GRIMM has a strong commitment to partnership, the PVD program welcomes requests to look into specific software or hardware. GRIMM is able to offer this service to a limited, trusted clientele to ensure that the program is used appropriately while the team works with the vendors for patches.