O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.

Full Disclosure Debate - NBT 5

114 visualizações

Publicada em

Fun debate between @viss and @caseyjohnellis on the merits and drawbacks of Full Disclosure.

Publicada em: Tecnologia
  • Seja o primeiro a comentar

  • Seja a primeira pessoa a gostar disto

Full Disclosure Debate - NBT 5

  1. 1. The Full Disclosure Debate VS @viss @caseyjohnellis NBTCon HackerFight Dec 1, 2018
  2. 2. FULL DISCLOSURE IS BAD, M’KAY caseyjohnellis - founder/chair/cto @bugcrowd
  3. 3. Disagreeing with Full Disclosure == Disagreeing with Death and Taxes
  4. 4. What is Full Disclosure? • Technically, it means publicly dropping 0- day before you tell the vendor about the vuln. • Realistically, it’s also interpreted to mean pre-fix, post-deadline, public disclosure in a CVD timeline. • Basically, public disclosure + vuln not fixed = full disclosure. • …also, words are hard.
  5. 5. tl;dr: This.
  6. 6. Why is Full Disclosure like Death and Taxes? • tl;dr: It’s because proactive vulnerability disclosure isn’t a normal thing yet. • Failure to prepare on the recipient-side leads to the use of the “lever of last resort” • Intake, Communication, Remediation • Parts of the Internet will always suck at proactive disclosure, ergo FD will always be a thing • Proactive Vulnerability Disclosure removes the need for Full Disclosure. “debate against me all you like, I still don’t give a shit” - FD Honey Badger
  7. 7. “OK, now shuttup and argue with it.”
  8. 8. Why it’s bad. 1. OMG 0DAYZ!!! Full Disclosure gives unsophisticated actors easy access to complex attacks. 5/10 - Meh, true… but 0ld-day is a bigger culprit. 
 *cough* wannacry *cough*
  9. 9. Why it’s bad. 2. ZOMG h4X0RS!!! The alarm and general fuss that accompanies Full Disclosure reinforces the “US vs THEM” stereotype of the hacker community, and lumps good-faith hackers back in with the the malicious ones. 7/10 - Ok, fair point.
  10. 10. Why it’s bad. 3. ZOMG keep away!!! Full Disclosure scares the shit out of the people who need to sign-off on proactive vulnerability disclosure. This slows proactive VDP/CVD adoption down, which makes FD more likely. 10/10 - That’s bad, m’kay.
  11. 11. Why it’s bad. 4. ZOMG I wanna be like @viss There are literally thousands of net-new people joining the fight. They’re enthusiastic and many have skill… but they all come in with ZERO context on the nuances of Full Disclosure. The twitter/im/press ruckus around Full Disclosures teach them to escalate their findings prematurely, creating a negative behavioral spiral which impacts the entire good-faith hacker ecosystem. 12/10 - A++++ WOULD DEBATE AGAIN
  12. 12. As all good debates should finish…
  13. 13. BONUS ROUND RJE: remote-journalist-execution hyped low-criticality FDs + click happy journalists = we ALL end up as the boy who cried wolf ∞/10 - please stop.
  14. 14. fin. @bugcrowd @caseyjohnellis

×