Vaserve, a UK webhosting company says that 100,000 of its customer sites were wiped out in what looks like a zero day attack on HyperVM, a virtualization application they used. The HyperVM was a product of lxlabs.

I checked out the lxlabs product documentation and website and could not find any reference to using a secure development lifecycle. I did find this rather disturbing post to their forum as the first post on a new topic "Security" in April 10, 2009. It was not replied to until yesterday.

Lxadmin/hyperVM has become popular enough that people are SPECIFICALLY targeting these softwares now, and so we are now redoubling our focus on security.

If anybody knows about any vulnerability in hyperVM or lxadmin, please contact lxinfo at, and we can negotiate a payment if you can demonstrate it clearly.

Of course, after we fix the bug and update the softwares, we will absolutely disclose it publicly too, since we believe in 100% openness, but we need to know about vulnerabilities before it can impact our clients.


This is obviously not a good software security strategy. The owner of the IP is responsible for testing for security flaws. It was obviously too little too late for lxlabs. The industry can learn from this lesson. Don't wait until your software reaches critical mass and raises the attention of blackhat researchers before you start to think about application security.

The bigger issue and one that Vaserve should be asking itself is why did they place so much trust in software that clearly didn't have a software security process behind it. Vaserve should have looked for evidence of a 3rd party security review before they accepted the risk of an application that has the potential to bring down their whole company.

Hosting and cloud provider customers need to ask themselves how they vet the providers they use. Have their providers demanded evidence of 3rd party security reviews of the products in their infrastructure stack? Until customers start requiring this evidence these disasters will continue. Evidence of a security review has to start with the end user customer and work its way up the supply chain to hosting/cloud provider and then to the software vendor.

Veracode Security Guides
Data Security Resources

About Chris Wysopal

Chris Wysopal, co-founder and CTO of Veracode, is recognized as an expert and a well-known speaker in the information security field. He has given keynotes at computer security events and has testified on Capitol Hill on the subjects of government computer security and how vulnerabilities are discovered in software. His opinions on Internet security are highly sought after and most major print and media outlets have featured stories on Mr. Wysopal and his work. At Veracode, Mr. Wysopal is responsible for the security analysis capabilities of Veracode technology.

Comments (3)

jane | June 9, 2009 1:52 pm

I understand the boss of the company lxlabs. has committed suicide.

MikeA | June 9, 2009 6:06 pm

Perhaps this will get moderated/pulled, and if so correctly - I struggled myself if I should follow up with this, but I guess it continues from this...

I appreciate how crappy you must feel if something you are responsible fails badly, but this is not the form of "owning up for mistakes" that any of would want to see, especially when it's "just" electrons and not people's lives.

Jo | June 10, 2009 4:23 am

lxlabs: I agree with Chris, I don't think waiting for hackers to find vulns in your software is the right strategy. For starters what about using automated tools against your products: Acunetix ( Powerfuzzer Online (, GamaSec (

Please Post Your Comments & Reviews

Your email address will not be published. Required fields are marked *

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.