I work on the Vulnerability Analysis team at CERT/CC (www.cert.org). We recently released an open source project that I developed, the CERT Triage Tools, and I thought it might be of interest to your team. From the CERT Triage Tools webpage (http://www.cert.org/vuls/discovery/triage.html):



The CERT Triage Tools can be used to assist software vendors and analysts in identifying the impact of defects discovered through techniques such as fuzz testing and prioritizing their remediation in the software development process. The CERT Triage Tools include a GNU Debugger (GDB) extension called "exploitable" that classifies Linux application bugs by severity and a wrapper script for batch execution.



The 'exploitable' GDB extension mentioned above is a Python script that can be used to determine how exploitable a crash is. I recently published a blog post with some more information on the extension and how to use it: http://www.cert.org/blogs/certcc/2012/04/cert_triage_tools_10.html


Josh Bressers and Steve Grubb, of Red Hat, have been investigating use of the tools by your organization. I have CC’d them on this message. (Josh and Steve: The first message I sent didn’t post to the mailing list due to a clerical error on my part – feel free to ignore this re-send)


Regardless, I have been passively following the work your team has been doing and thought our tools might be useful to you. If you have any questions, comments, or ideas feel please feel free to drop me a line.



Jon Foote