O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.

KEYNOTE ComfyconAU 2020: disclose.io Vulnerability disclosure and Safe Harbor in 2020

285 visualizações

Publicada em

In this keynote I’ll run through the past/present/future of the vulnerability disclosure, and give a run-through of disclose.io: an open-source and vendor-agnostic initiative to make conversations between builders and breakers safe, standardized, and simple. I’ll close with a Call To Action for all participants with simple ways to help and get involved.

Publicada em: Governo e ONGs
  • Seja o primeiro a comentar

  • Seja a primeira pessoa a gostar disto

KEYNOTE ComfyconAU 2020: disclose.io Vulnerability disclosure and Safe Harbor in 2020

  1. 1. disclose.io @caseyjohnellisdisclose.io @caseyjohnellis The Disclose.io Project Vulnerability Disclosure & Hacker Safe Harbor in 2020 Comfycon AU - 2020 1
  2. 2. disclose.io @caseyjohnellisdisclose.io @caseyjohnellis Founder, Chairman, CTO at Bugcrowd 20 years in Infosec Hacker > Pentester > Solutions/Sales > Entrepreneur Pioneered Hackers-As-a-Service model 2 whoami @caseyjohnellis https://cje.io casey@disclose.io sudo ./hustle.sh sudo ./hack.sh
  3. 3. disclose.io @caseyjohnellis 3
  4. 4. disclose.io @caseyjohnellisdisclose.io @caseyjohnellis 4 Quick History
  5. 5. disclose.io @caseyjohnellis 2012: First Bugcrowd programs 2013: “Hmm… The researchers don’t seem to read the briefs ...and Organizations Legal Teams always seem to write War and Peace ...and CFAA makes screwing this up a felony crime” 1995: Netscape “Bugs bounty program” 2008: Facebook and Google start making noise about bug bounty and disclosure 5
  6. 6. disclose.io @caseyjohnellis 6
  7. 7. disclose.io @caseyjohnellisdisclose.io @caseyjohnellis How do we make it easy to do this well? 7
  8. 8. disclose.io @caseyjohnellis 2018: Amit Elazari hits talk circuit re Safe Harbor with #legalbugbounty, Dropbox launches Safe Harbor clause, and collaboration begins. 2018: disclose.io is spun out of the OSVDF project and #legalbugbounty. 2014: Open Source Vulnerability Disclosure Framework (OSVDF) released in collaboration between Bugcrowd and CipherLaw. ISO 24197/30111 released for paying customers. 2019: Bugcrowd adds disclose.io Safe Harbor language as default. 2014 to 2017: OSVDF language directly used and grandfathered by 500+ programs and translated into 4 languages. 8
  9. 9. disclose.io @caseyjohnellis How do we make the adoption of vulnerability disclosure programs, with best practice, go viral? 9
  10. 10. disclose.io @caseyjohnellisdisclose.io @caseyjohnellis 10 Disclose.io Intro
  11. 11. disclose.io @caseyjohnellisdisclose.io Vision A healthy and ubiquitous Internet Immune System 11
  12. 12. disclose.io @caseyjohnellisdisclose.io Mission To drive vulnerability disclosure adoption through safety, simplicity, and standardization. 12
  13. 13. disclose.io @caseyjohnellis The Terms Eliminate the friction of understanding and adopting VDP legal language for hackers AND companies Standardization The List Drive the adoption of Safe Harbor for hackers and promote the cybersecurity posture of early adopters Network-effect The Logo Promote the cybersecurity posture of early adopters and drive safe harbor Normalization The Components 13
  14. 14. disclose.io @caseyjohnellis The Terms A collection of boilerplate Vulnerability Disclosure language templates that balance: ◆ Bilateral safety for organizations/finders ◆ Legal completeness ◆ Readability ➔ Contributed to and assisted by lawyers, program owners, and policy makers from Government, Private Sector, Technology Companies, and the Security Industry. 14 https://github.com/disclose/disclose/tree/master/terms
  15. 15. disclose.io @caseyjohnellis The Terms: Current Collection ➔ General: ◆ Simple-safe-harbor ● A simple text block which can be added to a brief. ◆ core-terms-GLOBAL ● A full version of the disclose.io text with core safe harbor concepts covered off, but no mention of specific laws or regions. ➔ Regional: ◆ core-terms-CANADA ◆ core-terms-USA ➔ Domain-specific: ◆ core-terms-USA-ELECTIONS ● Watch this space... 15 https://github.com/disclose/disclose/tree/master/terms
  16. 16. disclose.io @caseyjohnellis The List ● A true, community-powered, vendor agnostic directory of all known VDP and BBPs ○ Includes up-to-date status of safe harbor, bounty availability, HOF, swag, etc ● json and CSV ○ For readability contribution, and usage by anyone ○ e.g. It currently powers the the Bugcrowd List of Programs ● Licensed under CCA 4.0 16 https://github.com/disclose/disclose/tree/master/program-list
  17. 17. disclose.io @caseyjohnellis 17 The Logo https://github.com/disclose/disclose/tree/master/logos Partial Safe Harbor ● “We agree not to pursue legal action if…” ● Good, but incomplete Full Safe Harbor ● Authorization under anti-hacking laws (e.g. CFAA) ● Exemption under anti-circumvention laws (e.g. DMCA) ● Exemption under AUP/ToS (a la Aaron’s Law) ● General acknowledgement of good faith. ● Far more comprehensive Full Safe Harbor Partial Safe Harbor
  18. 18. disclose.io @caseyjohnellis Put ‘em all together… 18 1. Origin Org launches VDP with Safe Harbor Org added to The List and is provided with The Logo Org displays The Logo on their website. 2. Spread Customer sees the logo, gets confidence, buys more readily. Sales improve. Hacker sees logo, gets confidence, trusts more readily. Security is improved. Org2, a competitor to Org1, notices the differentiation, gets FOMO, and investigates starting a VDP. 3. Refinement Org2 sees The Terms, and adopts them and/or submits adjustments. 4. Execution Org2 launches a VDP Cycle repeats for Org 3 and Org 4
  19. 19. disclose.io @caseyjohnellis Tldr: It’s working ~1,000 on The List ~600 using Simple Safe Harbor ~500 using OSVDF ~200 using Global Terms 19
  20. 20. disclose.io @caseyjohnellisdisclose.io @caseyjohnellis 20 What’s Next?
  21. 21. disclose.io @caseyjohnellisdisclose.io Goals What’s the plan for 2020? 1. Full coverage of FVEY countries in The Terms 2. 3,000 programs with 30% “Full Safe Harbor” adoption on The List 3. The Logo on 500 web properties 21
  22. 22. disclose.io @caseyjohnellis Goals: 2020 Full coverage of FVEY countries in The Terms 3,000 programs with 30% “Full Safe Harbor” adoption on The List The Logo on 500 web properties 2222
  23. 23. disclose.io @caseyjohnellis Practitioners/Lawyers/Executives ● Start a VDP!!! ● Add Safe Harbor terms and join Disclose.io! ● Contribute to the disclose.io Github repo ○ We’re looking for Australian regionalized language ○ Additions/updates to the list are always welcome ● Spread the good word! Security Researchers ● Hack The Planet! ● Younger players ○ Push for better security… but have empathy. ● Older players ○ Consider the example you’re setting for new entrants who lack context… ○ Mentor, encourage, and train the younger generation. Call to action... 23
  24. 24. disclose.io @caseyjohnellisdisclose.io @caseyjohnellis 24 Thank you! @disclose_io https://disclose.io hello@disclose.io