@k8em0's Threads
Outsource your triage for vuln disclosure & bug bounties, they said.
The labor market shortage of qualified triage workers is immaterial, they said.
Remember the whole point of these bug bounty platforms was to save you money in pen testing?
Help you find bugs that eluded you?
The labor market shortage of qualified triage workers is immaterial, they said.
Remember the whole point of these bug bounty platforms was to save you money in pen testing?
Help you find bugs that eluded you?
Oh look!
They just asked the hacker if they downloaded any sensitive program data from any other HackerOne customers LIKE THE PENTAGON PERHAPS, & took their word for it!
And this hacker originally reported this issue 3 YEARS AGO.
This bug bounty platform has a $100M valuation.
They just asked the hacker if they downloaded any sensitive program data from any other HackerOne customers LIKE THE PENTAGON PERHAPS, & took their word for it!
And this hacker originally reported this issue 3 YEARS AGO.
This bug bounty platform has a $100M valuation.
There is good reason why I have an independent company that helps governments & organizations fight FUD & get better honestly at vulnerability management, vuln disclosure, & bug bounties.
I’ve seen bug bounty platforms unraveling like this & I’m not about to steer people wrong.
I’ve seen bug bounty platforms unraveling like this & I’m not about to steer people wrong.
How many years of getting shit on in an industry that you helped define does it take to push you over the edge to believing nothing you ever do will be good enough, you should give up, never return?
This is why I don't mentor young women, BTW.
This place is never getting better.
This is why I don't mentor young women, BTW.
This place is never getting better.
Please don't be tempted to respond with one of these right now.
I've been telling myself for 29 years, from the time of my first job working in a dry cleaners, not to let mean people get under my skin at work.
Don't say to just not listen to those people or let them affect me.
I've been telling myself for 29 years, from the time of my first job working in a dry cleaners, not to let mean people get under my skin at work.
Don't say to just not listen to those people or let them affect me.
My new response to anyone giving me advice is
Fuck off.
Enjoy it.
And fuck off.
Fuck off.
Enjoy it.
And fuck off.
Respected, highly skilled researchers who refuse on principle to sign restrictive non-disclosure terms as a condition to report bugs to you are exactly the ones you don't want to have your bug bounty platform turn away.
NDA-like terms are bad for vuln disclosure & global security
NDA-like terms are bad for vuln disclosure & global security
Gather around this old lady of hacking & vuln disclosure once more, kids.
It's time for another short thread to educate & correct some bad takes when it comes to disclosure norms.
Many believe 90 days is too short of a disclosure deadline.
Originally, disclosure norms were 5 DAYS
It's time for another short thread to educate & correct some bad takes when it comes to disclosure norms.
Many believe 90 days is too short of a disclosure deadline.
Originally, disclosure norms were 5 DAYS
First, read this other short thread, covering a bit of history of vuln disclosure, some weird recent blocking of researchers on another bug bounty platform, then come on back here.
Got it?
Good!
Ok read on in this thread.
Got it?
Good!
Ok read on in this thread.
Time to remind folks what Coordinated Vulnerability Disclosure is all about, since both the affected vendor & the bug bounty platform in this disclosure debacle are incapable of doing so.
Buckle up, kids.
The co-author of the vuln disclosure ISO standards has a thread for you. 🍿
Buckle up, kids.
The co-author of the vuln disclosure ISO standards has a thread for you. 🍿
First, some brief history of vulnerability disclosure:
1. Researchers used to have no way to report.
2. If they did, they were likely threatened or dismissed.
3. Full disclosure was always an option, as it got 2 things done:
- Warned users
- Forced vendors to address issues
1. Researchers used to have no way to report.
2. If they did, they were likely threatened or dismissed.
3. Full disclosure was always an option, as it got 2 things done:
- Warned users
- Forced vendors to address issues
Then vendors started labeling full disclosure as "irresponsible", planting the onus on researchers, while completely skirting their own liability & negligence.
The vendor created the bug.
If the vendor failed to address it, suddenly it was the researcher's fault for speaking up?!
The vendor created the bug.
If the vendor failed to address it, suddenly it was the researcher's fault for speaking up?!
This take is common but inaccurate. Understandably so, but still important to correct.
Usually the primary culprit where a known vuln is exploited is delays in applying patches.
Not the culprit here.
It was a breakdown in the data exfiltration prevention/detection that did it.
Usually the primary culprit where a known vuln is exploited is delays in applying patches.
Not the culprit here.
It was a breakdown in the data exfiltration prevention/detection that did it.
Orgs must test patches. A layer of complexity in applying them is when the issue is in a framework or library, as was the case here. They have to recompile/test all applications built using that framework/library & fix issues found in that testing before they can call it patched.
When I created Microsoft Vulnerability Research (MSVR), we found & coordinated disclosure of library issues with exactly this problem.
You end up w developers who don't upgrade quickly w the new library, causing a longer window of exposure.
Info sharing/patching wasn't the prob.
You end up w developers who don't upgrade quickly w the new library, causing a longer window of exposure.
Info sharing/patching wasn't the prob.
Every person who drives Lyft/Uber has a story. I usually start my ride asking them how their day is going, how long they've been on shift, if they had any weird passengers (besides me). Every 1 of them was working it as a second job - if they were *lucky* to have another. Tragic.
Today on my way to the airport, a man just started his second job this week. Today is his day off from that. He still must drive. Each time the rideshare companies run promotions, the drivers suffer. There was a 2 week promo when he dropped off 4 ppl at 4 locations - $10 total.
Chronic underemployment causes more people to seek other income just to survive, & further curtails the spending that would otherwise fuel the economy. The divide between the wealthy & middle & working class (everyone else) is getting sharper. This is an unsustainable load & road
I just got this from Twitter, so I asked:
"I received notice that Twitter employees had access to some of my DMs. Which DMs were they exactly? How many Twitter employees had access to them? Were the recipients of my DMs also told that my private messages to them were compromised?
"I received notice that Twitter employees had access to some of my DMs. Which DMs were they exactly? How many Twitter employees had access to them? Were the recipients of my DMs also told that my private messages to them were compromised?
Putting this at the top of the replies so that people can stop feeling like they need to correct my original tweet. :) Clarification is in my timeline, but not high enough in the replies to see that it is *even worse* than I initially thought:
I got 2 consecutive restraining orders against an MIT professor, the 1st of which he forced an evidentiary hearing w his own character witnesses & full cross examination of me on the stand, he wasn't disciplined at all.
I was 21. He was 34.
Why do that ever again
#WhyIDidntReport
I was 21. He was 34.
Why do that ever again
#WhyIDidntReport
I left my job at MIT, where I'd worked 4 years, moved across the country & became a Linux dev. I chose not to get a 3rd restraining order in San Francisco, so that he wouldn't know where I lived. To this day, now that I'm a public figure, I worry that he will snap & come hurt me.
It's been over 20 years. He was known to hit on undergrads. Known to MIT by complaints by students. Even when court found him to be a credible threat to me, his position at MIT remained unchanged. I spoke up loudly for myself & to stop him from hurting anyone else. MIT failed us.
Marketing can often get things wrong. So can media. I expect technical folk to use technical terms correctly.
"Integration in SDLC" which I've discussed extensively regarding vuln disclosure/bug bounties has little to do with nifty JIRA bug bounty integration (which is cool).
"Integration in SDLC" which I've discussed extensively regarding vuln disclosure/bug bounties has little to do with nifty JIRA bug bounty integration (which is cool).
It sure makes for glossy marketing to say that it does - but that labels a feature erroneously. It is actually a process. The process can still be missing. Why does it matter so much?
It's like saying a bug bounty can make you more secure - which is a lie without back-end process
It's like saying a bug bounty can make you more secure - which is a lie without back-end process
It's accurate to say that bug bouny platform-JIRA integration streamlines the vulnerability response process, because that is all that it does. This is quite useful without the marketing deception & complete misuse of the technical process term "SDLC". That's for preventing bugs.
Last view of the crime scene that was my invaded hotel room and violated space, courtesy of @CaesarsPalace who still have not told me anything, offered me anything (except to move my room - like that really would prevent their security team screaming at me again). My last #DEFCON
The reporting out of this event so far has noted "privacy" concerns. The fact of the matter is, a male's chief concern is privacy. Women's includes that, but our high order bit is that this policy designed to keep people safe from gun attacks *increases* our chance of assault.
Threat models change, & we as security professionals know that. October 1 changed the threat model for Vegas hotels. That in no way changed the threat models for women traveling alone. Only @CaesarsPalace security did that. They are sacrificing women's safety for gun inspections.
TFW you're happy folks are celebrating others & you, yet there's still an annoying focus on your least significant bit, nothing to do with your work. I'm so fucking sick of the "women in" lists. The equality I crave is that professional lists have plenty of unscripted diversity.
Also annoying as hell: people coming to me, expecting me to be an expert in diversity & diversity hiring. What the fuck does hacking (my tech background) or policy work have to do with recruiting skills? To me, it's as offensive as expecting all women to know how to cook & clean.
For the record: I don't know anything about how to recruit more women. Please tax the men w fixing their own shitty hiring pipeline they created. We pay enough overhead just being recognized for our work. We aren't typically paid or promoted equally. I'm already fighting that.
What used to frustrate me as a young professional pen tester was needing to overprove myself each time, whereas junior males were assumed to be more technical than me. Now I get it on Twitter w people who know my work, yet still think dismissing my expertise counts as "debate".
Feed the pipeline, they say. Get more♀️interested in STEM. We don't have enough qualified candidates, or we'd totally hire them/have them speak. As a♀️who's done pro hacking, IT admin, development, & shifted major company bounty policy w data, I can tell you it's not worth it
Yes.
1. @four did a great job under tremendous pressure & made zero excuses. I don't think anyone could've done better under the circumstances. He said Uber made a mistake in both paying extortion (he was clear it wasn't a bug bounty) & failing to notify affected users & drivers.
1. @four did a great job under tremendous pressure & made zero excuses. I don't think anyone could've done better under the circumstances. He said Uber made a mistake in both paying extortion (he was clear it wasn't a bug bounty) & failing to notify affected users & drivers.
2. I made the following points:
- it's great that there are more legal ways to report bugs, & ways to be paid bounties, but we are creating a skewed market by saying everyone needs a bug bounty without building a robust overall defense. More bug hunters does not = more bug fixers
- it's great that there are more legal ways to report bugs, & ways to be paid bounties, but we are creating a skewed market by saying everyone needs a bug bounty without building a robust overall defense. More bug hunters does not = more bug fixers
- muddying defense market waters by misapplying the term bug bounty to the extortion payment Uber made makes it more likely others will try for a data theft $100,000 payout instead of a $10,000 legit bug bounty
- markets are created deliberately, & we must take care to shape them
- markets are created deliberately, & we must take care to shape them
The assumption "bug collisions are so common in all software that everyone should assume that for any bug disclosed, it's probably been found by attackers & exploited already" contrasts how scientific research works. Security research is no exception.
Bug & research "collisions" can happen due to lots of low-hanging fruit. It can also occur when researchers pay attention to reach other's work. I've discussed researcher "swarming" for years, & recently on stage at BlackHat this summer.
Bug collision or correlation rates for software that has a lot of bugs (bug dense, say, because of not being well-tested) will generally model higher bug collision rates than in software with low bug density. See slides #23-27 from my RSA talk in 2015.
rsaconference.com/writable/prese…
rsaconference.com/writable/prese…
New from me:
Important changes to #Wassenaar protects defenders from export control paperwork impeding #vulnerabiltydisclosure & #incidentresponse . Done? Not yet! Let's celebrate this win for tech/policy collaboration now. What's next? Read on. 🍻🥂🥃
thehill.com/opinion/cybers…
Important changes to #Wassenaar protects defenders from export control paperwork impeding #vulnerabiltydisclosure & #incidentresponse . Done? Not yet! Let's celebrate this win for tech/policy collaboration now. What's next? Read on. 🍻🥂🥃
thehill.com/opinion/cybers…
All options, including seeking further clarifications, or drafting a proposed domestic export control rule, are all still on the table in the US. There will likely be further opportunities for the public to weigh in on this undecided next move by the US.
Like the changes agreed so far, we have every single interested party to thank for this shared victory. The export control authorities from each country were super collaborative w us. We need more tech folks who value partnerships w policy makers. Nobody wins unless everyone wins
Excellent post re hunting #bugbounties . These stats show the researcher's persistence & skilling up, & also inadvertently highlights problems w the #bugbounty ecosystem. What other security job only pays for 57% of your work?
"13% reward rate for 1st month, then 25%, then 57%."
"13% reward rate for 1st month, then 25%, then 57%."
I'm a fan of creating incentives. What #bugbounties have turned into is a misinformed (on both hunted & hunter sides) replacement for other security activities. Thoughtful incentives (including but not limited to bounties) creates win-win. The 1st MS bounties had no duplicates.
I love that bug hunters & orgs running bug bounties are using the programs to learn. That's great news. But is it improving security over time, or just outsourcing QA, encouraging sloppier releases & deployments, which lead to more low-hanging fruit, & therefore more duplicates?
