CPR-Zero: The Check Point Research Vulnerability RepositoryJune 19, 2019
During the past 3 years, Check Point Research has invested significant resources into vulnerability research. For every vulnerability we discover, we first notify the vendor and immediately develop new protections which are integrated into the Check Point line of products.
During the course of our vulnerability research, we come across a vast number of bugs, some more interesting than others. Many of the vulnerabilities we discover are also shared publicly in our blog or conference presentations, such as Hacked in Translation, What the FAX?!, and most recent WinRAR 19 year old code execution. However, while some of the vulnerabilities are published, many are not.
The normal practice for publicly disclosing vulnerabilities is to give the relevant vendor 90 days to fix the problem before informing the public, thus allowing users to take the necessary steps to avoid attacks. We find that user awareness plays a major role in the decision to update and patch the environment.
For these reasons, we decided to create the CPR-Zero Repository that includes the majority of the bugs we discover and disclose, even if they are not featured in a particular publication. The repository contains detailed information regarding each bug, including a crash dump, a short explanation and sometimes a POC. This initial bug release includes over 130 critical vulnerabilities; most of their details are not yet released even though they are already patched.
The repository will be ongoing and continually updated upon any new discoveries. The process is not automatic, however, and we reserve the right to not disclose some of the bugs that may be higher risk.
We are proud that Check Point boasts some of the most talented and capable experts in the field, and we strive to stay ahead of malicious actors by developing new research tools, mitigation techniques and identify attack vectors before they do. The vulnerability repository is our latest effort and aims to be a valuable step in notifying users of new risks as well as encouraging vendors to take the necessary steps to continue to provide a risk free user experience when browsing the internet.