Privasec’s Ridiculous Claim of a “World Record” in Vulnerability Disclosure

On May 9, 2019, Privasec published an odd press release with a URL slug of “privasec-queensland-telstra-acquisition” but a title of “Privasec Red’s Consultant Breaks World Record By Disclosing Most Number Of Open-Source CVEs.” This claim is simply wrong. To believe it requires either a complete understanding of the vulnerability disclosure landscape or intent to deceive. Neither is a good look for a security company.

The Claim

The claim that Sajeeb Asim Lohani (a.k.a. sml555 a.k.a. ProDigySML) has disclosed 120 vulnerabilities and it is a record that is fairly trivial to debunk. I say fairly trivial because it requires a good vulnerability dataset that tracks creditee information. Since CVE / NVD do not do that, I am curious how Privasec came to their conclusion. SecurityFocus’ BID and IBM X-Force are public databases that track creditee, but neither allow for a way to readily poll for that statistic. Even scraping that data, mangling it, and making a local searchable dataset should quickly show that 120 is probably not the record. [Update: IBM XFD shows 60 total]. So Privasec’s first mistake is not disclaiming how they determined their claim.

The Debunking

Using VulnDB, which also tracks creditee and makes it easy to search along with statistics around the researcher, I don’t even see 120 vulnerabilities creditee to Lohani. This is after combining three separate creditees, Lohani, sml555, and ProDigySML, that were all one into a single creditee. That yielded 78 vulnerabilities:

Why 78 vs the claimed 120, regardless if the most or not? There are several possibilities here and they may be mutually inclusive. The easiest explanation is there are over 40 disclosures by Lohani that have not been aggregated by VulnDB. Given the historical data and thousands of sources monitored, that would be a bit suspect. Given that he “was nominated for AISA Rookie of the Year in 2017“, that suggests this isn’t an issue of disclosures being historical and the data being incomplete.

Another possibility is that Privasec is trying to hide behind a single word in this press release. Note that it says he “has broken the world record by privately disclosing 120 Open-Source CVEs.” The problem with trying to use this as an out is that how do they know how many other vulnerabilities were privately disclosed? Besides, they also make a point to say “Open-Source CVEs”, which presumably means “public” CVEs. This on top of the PR headline not qualifying their claim at all.

One last possibility is that there are over 40 more of his vulnerabilities with a CVE, but all in RESERVED status. If that was the case, you’d expect them to have contacted MITRE to get them published; after all, they do say “open-source” Additionally, they likely don’t have knowledge of the RESERVED entries that are actually public, which numbers in the thousands.

The Counter

If not Lohani, who has the most vulnerabilities to their name? Probably Mateusz Jurczyk (j00ru) but I would have to do some more data massaging to verify it. He (1,717) and Gynvael Coldwind (1,143) both come to mind for an incredible number of vulnerabilities, many disclosed together. Another name from a ways back is r0t (811), who rode the web application wave with many XSS and file inclusion vulnerabilities. Compare any of those to Lohani with his 120 claim as the “world record” and you can see it is quite absurd. Hell, Jurczyk has more Microsoft Windows vulnerabilities with a CVE assignment than Lohani has in total. It’s clear Privasec didn’t do their homework, or simply didn’t care to.

The Offer

Am I wrong? Possibly. I outlined several reasons why the numbers might be off on either side. So I have an offer for Lohani and Privasec; prove me wrong. It’s quite simple too, since you have the data used for the 120 figure. Share a list of Lohani’s vulnerabilities with me. A simple list of the CVE IDs is all I need, I will do the heavy lifting to verify that number is accurate. You’re still wrong about that “world record” either way, that is proven above. But I would love to see the list of 120 you claim regardless.