37 min
Katie Moussouris, Vulnerability Coordination Maturity Model, when are you ready for a bug bounty - Part 1 BrakeSec Education Podcast
-
- Tech News
Introduce Katie (bio) (@k8em0) CEO and Owner, LutaSecurity
The scope of the VCMM (what is it?)
VCMM - Vulnerability Coordination Maturity Model
https://www.lutasecurity.com/vcmm
Just covers the internal process? To ready an org for a bug bounty program or to accept vulns from security researchers?
You mentioned not playing whack-a-mole, when it comes to responding at the beginning of a vuln disclosure program. Is the directing of different categories of bugs one of the things that goes into not having to just wait for the bugs to roll in?
Will this work for internal security or red teams as well, or is this more suited to bug bounties?
What’s the timeline for this process? “We need something for a product launch next week…”
Stakeholders involved? CISO? Security team? IT? Devs?
What precipitates the need for this? Maturity? Vuln Disclosure?
Are the ISO docs required for this to work, or will they assist in an easier outcome?
https://blog.rapid7.com/2017/12/19/nist-cyber-framework-revised-to-include-coordinated-vuln-disclosure-processes/
https://www.rsaconference.com/industry-topics/video/bug-bounty-programs-arent-enough-for-todays-cyber-threats-katie-moussouris-rsac
10 worst jobs (popsci article): https://web.archive.org/web/20070712070214/https://www.popsci.com/popsci/science/0203101256a23110vgnvcm1000004eecbccdrcrd.html
https://www.nbcnews.com/tech/security/how-teenage-fortnite-player-found-apple-s-facetime-bug-why-n963961
How does an org use this to communicate vulnerabilities in their own products?
What’s the bare minimum you need on this chart for a successful program? Are any facets more important than the others? Does anyone hit all 3s, or is that a pipedream?
Incentive “no legal action will be taken”. People want money… not tours, not 10-point font. How do you convince ‘good’ bug writers to want to help you for a ‘thank you’? Should incentive be a ‘Level 3’ or would you consider it not ready for prime-time?
https://www.zdnet.com/article/yahoo-changes-bug-bounty-policy-following-t-shirt-gate/
Vuln reporting
Lots of Twitter fodder of companies that handle vuln disclosure poorly, even folks say that you shouldn’t bother and deal with a 3rd party.
If a company is taking bugs and doing all the baseline items, what are some other things they could do to make security disclosure easier?
Security.txt?
Clearly stated bugs@ or Security@ (and not buried in 3 point font in the privacy policy, or ToS)
SLA to reply to all bugs?
Standardized disclosure form for discoveries?
Slide Presentation Overview: https://7bb97855-c50f-4dce-9a1c-325268684c64.filesusr.com/ugd/ed9b4b_f04d16446542494887906777a39204bf.pdf
ISO 29147:2018 - $150 USD
https://www.iso.org/standard/72311.html
ISO 30111:2019 - $95 USD
https://www.iso.org/standard/69725.html
ISO 27034-7:2018 - $150 USD
https://www.iso.org/standard/66229.html
Check out our Store on Teepub! https://brakesec.com/store
Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com
#AmazonMusic: https://brakesec.com/amazonmusic
#Brakesec Store!: https://brakesec.com/teepub
#Spotify: https://brakesec.com/spotifyBDS
#Pandora: https://brakesec.com/pandora
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: bds.podcast@gmail.com
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brak
Introduce Katie (bio) (@k8em0) CEO and Owner, LutaSecurity
The scope of the VCMM (what is it?)
VCMM - Vulnerability Coordination Maturity Model
https://www.lutasecurity.com/vcmm
Just covers the internal process? To ready an org for a bug bounty program or to accept vulns from security researchers?
You mentioned not playing whack-a-mole, when it comes to responding at the beginning of a vuln disclosure program. Is the directing of different categories of bugs one of the things that goes into not having to just wait for the bugs to roll in?
Will this work for internal security or red teams as well, or is this more suited to bug bounties?
What’s the timeline for this process? “We need something for a product launch next week…”
Stakeholders involved? CISO? Security team? IT? Devs?
What precipitates the need for this? Maturity? Vuln Disclosure?
Are the ISO docs required for this to work, or will they assist in an easier outcome?
https://blog.rapid7.com/2017/12/19/nist-cyber-framework-revised-to-include-coordinated-vuln-disclosure-processes/
https://www.rsaconference.com/industry-topics/video/bug-bounty-programs-arent-enough-for-todays-cyber-threats-katie-moussouris-rsac
10 worst jobs (popsci article): https://web.archive.org/web/20070712070214/https://www.popsci.com/popsci/science/0203101256a23110vgnvcm1000004eecbccdrcrd.html
https://www.nbcnews.com/tech/security/how-teenage-fortnite-player-found-apple-s-facetime-bug-why-n963961
How does an org use this to communicate vulnerabilities in their own products?
What’s the bare minimum you need on this chart for a successful program? Are any facets more important than the others? Does anyone hit all 3s, or is that a pipedream?
Incentive “no legal action will be taken”. People want money… not tours, not 10-point font. How do you convince ‘good’ bug writers to want to help you for a ‘thank you’? Should incentive be a ‘Level 3’ or would you consider it not ready for prime-time?
https://www.zdnet.com/article/yahoo-changes-bug-bounty-policy-following-t-shirt-gate/
Vuln reporting
Lots of Twitter fodder of companies that handle vuln disclosure poorly, even folks say that you shouldn’t bother and deal with a 3rd party.
If a company is taking bugs and doing all the baseline items, what are some other things they could do to make security disclosure easier?
Security.txt?
Clearly stated bugs@ or Security@ (and not buried in 3 point font in the privacy policy, or ToS)
SLA to reply to all bugs?
Standardized disclosure form for discoveries?
Slide Presentation Overview: https://7bb97855-c50f-4dce-9a1c-325268684c64.filesusr.com/ugd/ed9b4b_f04d16446542494887906777a39204bf.pdf
ISO 29147:2018 - $150 USD
https://www.iso.org/standard/72311.html
ISO 30111:2019 - $95 USD
https://www.iso.org/standard/69725.html
ISO 27034-7:2018 - $150 USD
https://www.iso.org/standard/66229.html
Check out our Store on Teepub! https://brakesec.com/store
Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com
#AmazonMusic: https://brakesec.com/amazonmusic
#Brakesec Store!: https://brakesec.com/teepub
#Spotify: https://brakesec.com/spotifyBDS
#Pandora: https://brakesec.com/pandora
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: bds.podcast@gmail.com
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brak
37 min