Twitter 
YouTube Disclosure and Something About Hats
Music provided by: Denis Kreynin https://soundcloud.com/denis-kreynin
Originally Recorded January 17th 2015
Blackhat movie
what is a black hat hacker? https://en.wikipedia.org/wiki/Hacker_%28computer_security%29
A “black hat” hacker is a hacker who “violates computer security for little reason beyond maliciousness or for personal gain” — Robert Moore, 2005
a white hat hacker uses skills to improve security
Common currency is vulnerabilities discovered
black hat hordes, white hat discloses
Moral obligation to disclose
If the good guys don’t fix it the bad guys will exploit it
Responsible disclosure (coordinated)
Full disclosure
Research Security Advisory Writing Guideline highlights some important items to have https://docs.google.cm/doco/1ulument/dnK4hR48Cnh7MeC0K9WwkfidGsGr9jDRG-DBr8eZkU/edit?pli=1
Dates
Proof of concept or way to reproduce
severity
Bruce Schneier has a good essay on the disclosure debate at https://www.schneier.com/blog/archives/2007/01/debating_full_d.html
45 days at Cert https://www.cert.org/vulnerability-analysis/vul-disclosure.cfm?
Google drama
https://arstechnica.com/security/2015/01/google-sees-a-bug-before-patch-tuesday-but-windows-users-remain-vulnerable/
The release of the vulnerability was 2 days before the release of the patch. that’s The story.
Why would you want to tell the general public about a vulnerability?
Gives them a chance to try alternative fixes & mitigate vulnerability
inflexibility in this story, google w/ 90 day arbitrary deadline & MS with set Tuesday patch
Patch Tuesday, while it’s lovely to have a fixed schedule, means the malicious need to wait until Wednesday to release vulnerabilities then they KNOW they have at least 2 weeks of malicious time.
what are the different options?
full disclosure (tell everyone)
delayed like the goog (tell the dev, then release to public later)
CVD (coordinated vulnerability disclosure) like MS organize with the dev when to announce.
keep it a secret, use it yourself for $$$
Working infosec what’s the best option for your company
depends on your products
2008 disclosure of DNS vulnerability that could have crippled the Internet https://dankaminsky.com/2008/07/09/an-astonishing-collaboration/
Mobile banking vulnerabilities: https://web.nvd.nist.gov/view/vuln/search-results?query=mobile+banking&search_type=all&cves=on
Bug Bounty programs
Lots of mature companies have them: https://www.bugsheet.com/bug-bounties
Bug bounty as a service: https://www.infosecisland.com/blogview/22737-Bug-Bounty-Programs-As-a-Service.html
Be open to receiving notification
Make appropriate contacts obvious
be prepared to receive them and do not be quick to dismiss
track details (e.g. who sumbitted, when, how severe,
Contests like CanSecWest Pwn2Own https://en.wikipedia.org/wiki/Pwn2Own
VUPEN of france is the most famous company that has a business model around selling vulnerabilities https://www.forbes.com/global/2012/0409/technology-hackers-security-government-zero-day-salesmen.html