Scribbler Logo

    You have 4 summaries left

    Application Security Weekly (Audio)

    Policy Momentum in Coordinated Vulnerability Disclosure - Amit Elazari - ASW Vault

    Tue Jun 20 2023
    CybersecurityBug BountiesVulnerability Disclosure ProgramsCollaborationSecurity Education

    Description

    The episode discusses the importance of building connections between institutions and the hacker community, the increased adoption of vulnerability disclosure programs and bug bounties, flexible security policies and collaboration with researchers, engaging with researchers and fostering collaboration, resources for vulnerability disclosure programs, and resources for effective vulnerability reporting.

    Insights

    Building Bridges between Hackers and Organizations

    Understanding each other's language and contexts is crucial for effective policy-making. AppSec needs deeper connections with academic institutions to bring together diverse domain experts. Industry collaboration with researchers is essential for improving security.

    Ethical Hackers and Security Posture

    The adversarial mindset of ethical hackers can benefit organizations' security posture. Addressing anti-hacking laws is crucial for fostering collaboration between hackers, companies, policymakers, and governments. Private ordering mechanisms like bug bounties can help create standards and expectations around legal considerations for collaboration with security researchers.

    Vulnerability Disclosure Programs and Bug Bounties

    Bug bounties offer incentives for testing specific systems, while vulnerability disclosure programs focus on setting expectations for reporting issues. Policymakers are investing in collaboration and public-private partnerships to enhance security assurance. A technology-neutral approach is important in policy design to adapt to evolving security landscapes.

    Collaboration with Researchers and Security Education

    Intel is focused on engaging with more researchers to create a broader and diverse community of embedded researchers. They believe in the importance of interdisciplinary research and learning in order to address security challenges effectively. Collaboration between technical experts, engineers, and security leadership is where innovation happens.

    Resources for Vulnerability Disclosure Programs

    The company has an arsenal of tools for collaboration and security assurance. They have a public bug bounty program, vulnerability disclosure program, and internal offensive research efforts. International standards like ISO/IEC 30111 and ISO/IEC 29147 are important for vulnerability disclosure processes.

    Effective Vulnerability Reporting

    Clear language and setting expectations are crucial for effective communication and collaboration with the community. Legal issues surrounding vulnerability reporting can be complex, so organizations should seek legal advice. The concept of 'save further' helps address legal concerns by establishing consensus and clarifying authorization considerations.

    Chapters

    1. Building Connections between Institutions and the Hacker Community
    2. Increased Adoption of Vulnerability Disclosure Programs and Bug Bounties
    3. Flexible Security Policies and Collaboration with Researchers
    4. Engaging with Researchers and Fostering Collaboration
    5. Resources for Vulnerability Disclosure Programs
    6. Resources for Effective Vulnerability Reporting
    Summary
    Transcript

    Building Connections between Institutions and the Hacker Community

    00:01 - 07:44

    • Understanding each other's language and contexts is crucial for effective policy-making.
    • AppSec needs deeper connections with academic institutions to bring together diverse domain experts.
    • Industry collaboration with researchers is essential for improving security.
    • The adversarial mindset of ethical hackers can benefit organizations' security posture.
    • Addressing anti-hacking laws is crucial for fostering collaboration between hackers, companies, policymakers, and governments.
    • Private ordering mechanisms like bug bounties can help create standards and expectations around legal considerations for collaboration with security researchers.
    • 'Safe harbor' concepts are important in bug bounty programs to facilitate collaboration with the hacker community.
    • 'Disclose.io' plays an important role in bridging the gap between the hacking community and organizations by promoting vulnerability disclosure programs.
    • Educating policymakers about technical hacking communities' concerns, thoughts, approaches, and importance of vulnerability disclosure programs is necessary for building shared links.

    Increased Adoption of Vulnerability Disclosure Programs and Bug Bounties

    07:15 - 14:29

    • Policy makers have seen increased adoption of vulnerability disclosure programs and bug bounties.
    • The May 12 executive order emphasizes the importance of vulnerability disclosure programs for federal agencies.
    • Intel has launched Project Circle Breaker, a bug bounty program to engage with the community.
    • There is confusion between vulnerability disclosure programs and bug bounties, but they serve different purposes.
    • Bug bounties offer incentives for testing specific systems, while vulnerability disclosure programs focus on setting expectations for reporting issues.
    • Policymakers are investing in collaboration and public-private partnerships to enhance security assurance.
    • The cybersecurity review board aims to foster transparency and collaboration in addressing security concerns.
    • A technology-neutral approach is important in policy design to adapt to evolving security landscapes.

    Flexible Security Policies and Collaboration with Researchers

    14:00 - 21:39

    • Security policies should be technology neutral and flexible to accommodate evolving risks and innovations.
    • Passwords may become obsolete as authentication methods evolve.
    • Taking an elastic posture towards security involves both architectural solutions and assurance practices.
    • There is a global focus on assurance practices like software development lifecycle and external research collaboration.
    • Intel is working on cultivating collaboration with researchers in the hardware field through bug bounties, academic partnerships, and hands-on training.
    • Project Circuit Breaker aims to engage researchers in exploring Intel's Tiger Lake platform and gather insights for future improvements.
    • The project offers multipliers on bounties and plans to host additional events to expand the community of embedded researchers.

    Engaging with Researchers and Fostering Collaboration

    21:23 - 29:07

    • Intel is focused on engaging with more researchers to create a broader and diverse community of embedded researchers.
    • They have a program called Project Circuit Breaker that invites collaboration with researchers, and it will be rolling out until May.
    • Intel also has a public bug bounty program and provides educational resources for security curriculum.
    • They believe in the importance of interdisciplinary research and learning in order to address security challenges effectively.
    • Intel hopes to see more policy, political science, and legal-oriented approaches towards security being taught in computer science curriculums.
    • The company emphasizes the need for continuous investments and resources in security education.
    • Collaboration between technical experts, engineers, and security leadership is where innovation happens.
    • Intel encourages a holistic approach to security by fostering academic collaboration, research, and having a diverse workforce and toolkit.
    • They have both a specific project for bug bounties (Project Circuit Breaker) as well as a broader bug bounty program open to the public.

    Resources for Vulnerability Disclosure Programs

    28:37 - 35:41

    • The company has an arsenal of tools for collaboration and security assurance.
    • They have a public bug bounty program, vulnerability disclosure program, and internal offensive research efforts.
    • They also collaborate with academia through programs like paper awards and labs.
    • Project Circuit Breaker is a new incentive-based program focused on the Tiger platform.
    • The company welcomes collaborations from the community through various frameworks.
    • They recognize that security and collaborations are ongoing journeys.
    • There is a distinction between bug bounty programs and vulnerability disclosure programs.
    • Setting up these programs requires clear means to collaborate with the ecosystem and communicate expectations.
    • International standards like ISO/IEC 30111 and ISO/IEC 29147 are important for vulnerability disclosure processes.
    • NIST frameworks, first.org frameworks, CSSA resources, NTIA resources, and ANISA reports provide additional guidance.

    Resources for Effective Vulnerability Reporting

    35:26 - 37:51

    • There are various resources available for vulnerability disclosure programs, such as those provided by CSSA, NTIA, and ANISA.
    • Frameworks like disclose.io and the DOJ framework can be used as a starting point, but organizations should tailor their programs to their specific needs.
    • Clear language and setting expectations are crucial for effective communication and collaboration with the community.
    • Legal issues surrounding vulnerability reporting can be complex, so organizations should seek legal advice. Close I/O aims to create mutual understanding and provide a template for federal agencies.
    • The concept of 'save further' helps address legal concerns by establishing consensus and clarifying authorization considerations.
    • More time is needed to explore all the available resources mentioned. The results of Project Circuit Breaker will also be discussed in future conversations.
    1