What is Vulnary?

Vulnary is a Windows-based framework that is capable of collecting all information regarding the system and the processes running on it. Using this information Vulnary can truly understand how a process is operating on the system and more importantly can detect serious software vulnerabilities. So it does not test applications, it tests the system and makes predictions by the events of the operation system. By this technique, 0day vulnerabilities in huge numbers of applications can be found starting with less known softwares to the products of the biggest vendors as well.

How you can use the service:

  1. Subscribe for the suitable service (request 10, 20, or more software tests for each month)
  2. Based on a previously agreed monthly limit due to your subscription, you can request software analysis for any application you wish (if the application needs a license, you have to provide that)
  3. We analyze the system with the requested application within the next couple of business days and after that, we send you a detailed report about our findings. You do not have to care about False Positive tests, you will get only examined and 100% certain findings in your report. These reports include:
    • – information about the application: how the application operates, what was changed on the system by the application, what new components, services, and files were brought to your system
    • – warning about things you have to consider: application running level which may cause problems, missing or poor mitigation policy on sensitive processes, sensitive used data access
    • – alert about software vulnerabilities: serious vulnerabilities which bring an attack surface to your system. These can be command injection, privilege escalation, code injection, insecure Registry usage.
    • – This report will be shared only with you and you will be fully responsible for keeping this information confidential. However, with this, you can make decisions about using the tested software or not. If the application has serious vulnerabilities maybe you would consider using other applications, or you may separate the application for another system in a careful way.

If you would like to get the problems we found fixed, you can request us to report the vulnerability to the developer and manage the fixing process. As a final step, we will notify you at the end of the process.

VULNERABILITIES LIFE-CYCLE

Release it, Find it
Fix it, Re-release it

Nowadays everybody uses many tools and services from different sources. These sources have different standards and abilities to develop their products. People who are using these products did not have a chance to audit the processes run by them, so they had to trust blindy. Until now...

Why Choose Vulnary?

If you are a developer, we can find the bugs for you right before the release
If you are an end-user we can find the bugs for you before mass installation
We can find vulnerable processes run by applications immediately
You can leave the reporting and fixing process for us to manage

Initial Release

Releasing a product which contains a bug

Detection

Someone detects/finds the vulnerability in the product

Re-Release

When the patch/update is ready, it is re-released (usually 30-90 days needed)

Start Fixing

In case the vendor notices the bug, starts fixing it (usually 30-90 days are needed)

OUR CURRENT FEATURES

Vulnary's current version can detect 3 types of software bugs

Local Privilege Escalation

Since Vulnary counting with process privilege level, it can easily detect Local Privilege Escalation vulnerabilities

Process Audit

- how the application operates,
- what was changed on the system by the application,
- what new components, services, and files was brought to your system

COM Hijack

via COM sub-System (ab)used:
- malicious actors can inject code and elevate privilege
- ITW (In The Wild) malware use this technique

DLL Hijack

- Persistence (most of the AV products can't detect by this technique)
- Credential/info theft (security products try to block traditional code injection techniques, however this is an open door)