Category: disclosure

Incentive Policy for Coordinated Vulnerability Disclosure

Assessment

For the past ten years or so, organizations have been trying to implement operational policies to avoid “Full Disclosure” reports or “Open Bug Bounty” whose methods are not that good in terms of honesty and responsibility.

Speaking of responsibility, you may be familiar with the notion of “Responsible Disclosure” and you wonder how it differs from the concept of Coordinated Vulnerability Disclosure?

The concept of responsible disclosure has too often been at the root of endless discussions:

On the one hand the vendors denounce “Disclosing a vulnerability without providing patches is not responsible”.
and the other, “Don’t fix this vulnerability as quickly as possible is not responsible”, say security researchers.

During this precious time when both sides argue, the system concerned is at the opponent’s mercy.

In order to move towards greater efficiency and to get out of sterile debates, it is therefore important to avoid speaking of “responsible disclosure”. This is why many organizations advocate the concept of “Coordinated Vulnerability Disclosure” (CVD) in order to promote and strengthen cooperation between the various actors in cybersecurity, all of whom have a common goal: Make the Internet safer.

Coordinated Vulnerability Disclosure

Coordinated Vulnerability Disclosure

Theory & Definitions

Coordinated Vulnerability Disclosure (CVD) is a process aimed at reducing risk and ultimately mitigating potential damage caused by a vulnerability affecting an information system. CVD is a process that cannot be reduced to the deployment of a patch or publication of a report, even though these events are indicators of the efficiency of cooperation.

A bounty bug platform such as Bountyfactory.io facilitates this process by encouraging the cooperation of thousands of security experts and organizations.
Cooperation: it is a key element of Cyber Governance.

Guillaume Vassault Houlière | YesWeHack CEO

Coordinated Vulnerability Disclosure is therefore the process of collecting information from Security Researchers, coordinating the sharing of this information among actors, and disclosing the existence of vulnerabilities (software or even hardware) and their mitigation measures to various stakeholders, including the public.

Coordinated Vulnerability Disclosure significantly increases the likelihood of success of any vulnerability response process. Contributions are often vulnerability reports written by security researchers.

CVD reports for a product (software or hardware) typically include patches as well as vulnerability report documentation or recordings in a vulnerability database.

NB: many operational vulnerabilities can be corrected by the operator and do not necessarily result in public disclosure.

Vulnerability disclosure is a process by which vendors and people who discover vulnerabilities can work collaboratively to find solutions that reduce the risks associated with a vulnerability.

ISO/IEC 29147 standard defining Vulnerability Disclosure

This process includes actions such as the reporting, coordination and publication of information on one vulnerability, its mitigation or, ideally, its remediation.

Let’s zoom in the concept :

Principles:

  • Reduce the risk of damage
  • Believe in good deeds, believe in good Samaritans
  • Avoid randomness
  • Boost cooperation
  • Follow the code of ethics
  • Learn from the OODA loop
  • Consider CVD as a process navigating between the “best” and the “worst”.

Goals:

  • Ensure that identified vulnerabilities are – well – addressed;
  • Reduce the risk of vulnerability;
  • Provide users with sufficient information to assess the risks associated with the vulnerabilities of their systems;

StakeHolders:

Coordinated Vulnerability Disclosure commonly begins with the detection of a vulnerability and ends with the deployment of patches or mitigation.

Therefore, several actors are involved in the CVD process:

  • Security researcher – the person or organization that identifies vulnerability.
  • Reporter – the person or organization who notifies the vendor
  • Vendor – the individual or organization that created or maintains the product that is vulnerable
  • System Administrator – an individual or organization that must implement a corrective action or take other corrective actions.
  • Coordinator – an individual or organization that facilitates the coordinated response process

Steps:

  • Discovery – Someone discovers a vulnerability in a product.
  • Report – The product vendor or a third party coordinator receives a vulnerability report.
  • Qualification – The recipient of a report validates it to ensure its accuracy before prioritizing it for further action.
  • Remediation – A remediation plan (ideally a software patch) is developed and tested.
  • Public Awareness – Vulnerability and corrective measures are disclosed to the public.
  • Deployment – Corrective measures are applied to the systems concerned.

The reporting step is important because it requires the creation of secure channels to ensure that transmitted information is not intercepted by a third party.

However, there are some obstacles within the process:

  • No vendor contact available – This may occur because a contact could not be found or because the contact is not reactive.
  • Termination of cooperation – participants in the CVD process may have other priorities that attract their attention.
  • Information leakage – Whether intentional or unintentional, information for a small group of actors can be passed on to others who are not involved in the CVD process.
  • Independent Discovery – Any vulnerability that can be found by one individual can be found by another, and not everyone will tell you about it.
  • Active Exploitation – Evidence that a vulnerability is being actively exploited by adversaries requires accelerating the CVD process to reduce users’ exposure to risk.
  • Communication is deteriorating – CVD is a process of coordinating human activities. As such, its success depends on the quality of the relationships between the participants.
  • Marketing – In some cases, vulnerabilities can be used as a marketing tool. This is not always conducive to the smooth running of the CVD process.

To sum up:

Vulnerability disclosure practices are no longer restricted to web applications. The Internet of Things and the constellation of SCADA systems, connected health devices, CCTV, Connected cars, etc. have become so dependent on software and the Internet that they increase the exposure perimeter and will inevitably be exposed to new attacks.

The Coordinated Vulnerability Disclosure is a major ally to federate the largest number of cyberspace actors and stimulate the exchange of knowledge to ensure both security and privacy protection by design.

By encouraging cooperation, CVD will enable all stakeholders not only to defend their common information assets but also to fight more effectively against the black market and the resale of Zerodays.

*

The set is now planted, so let’s switch from theory to practice.

Security.txt: the promising RFC!

In order to respond to the lack of contacts available to disclose a vulnerability on a website, security researcher EdOverflow, well inspired by the role of the famous robots. txt, suggested since the beginning of August 2017 to include in each website the file security.txt as a reference file containing the procedure to be followed to disclose more effectively to the editor of a site a bug, a vulnerability.

This approach has the merit of establishing clear guidelines for security researchers on how to report security issues and allows bug bounty programs to use them as a basis for defining the attack perimeter for future researchers.

security.txt is a draft that has been submitted to the RFC for review. This means that security.txt is still in the early stages of development. You can contribute on github!

Bug Bounty as part of your disclosure policy

As part of agile development on their own products, more and more vendors are choosing to be proactive by stimulating and cooperating with IT researchers:

  • by relying on in-house resources and expertise;
  • by contracting directly with external researchers;
  • via a platform that will connect researchers and one vendor. The latter will therefore pay for the result and will be able to choose between various options such as program management or even patch management if its internal resources are not sufficient.

NB: The creation and long-term implementation of a Bug Bounty program is considered as an indicator of the maturity of publishers’ E-governance in terms of vulnerability.

Since 2013, YesWeHack has been developing tools that greatly facilitate the implementation of an incentive policy for CVD.

YesWeHack, its community and ecosystem of services enable organizations and IT security researchers to better cooperate.

Thanks to the tools developed by YesWeHack, beneficiary organizations can more easily overcome the obstacles encountered by their CVD policy. In addition, organizations gain reputation by demonstrating their appetite and willingness for continuously improving their systems.

Bountyfactory.io as the first European platform of Bug bounty.

Differentiating criteria

  • Cooperation with European partners and providers as a matter of sovereignty.
  • Legal and technical infrastructure that meets the highest security requirements.
  • Security and confidentiality of communications based on encryption and compliance with ISO standards.
  • Securing financial transactions between organizations and security researchers.
  • Payment platform compliant with European anti-money laundering and anti-terrorist financing arrangements.
  • Support throughout the entire process: from the drafting of the program to assistance with corrective measures.
  • Operational ranking of the best researchers: Management of a security research community.
  • Reactivity that enables the best researchers to be mobilized in record time.
  • Ability to organize different types of Bounty bug programs (Private / Public / In situ / Hardware and/or Software).

Give it a try ! Register on BountyFactory.io

What should I do if a product does not offer Bug Bounty or Security.txt?

Zerodisclo.com

A simple and effective tool to avoid full disclosure of vulnerabilities in the wild.

It is important to note that some products (software or hardware) do not have their own Bug Bounty program. Thus, it is difficult for a security researcher to report a vulnerability to a vendor. Not all countries have a law allowing this kind of practice, as is the purpose of Article 47 of the Law for a Digital Republic initiated by ANSSI.

YesWeHack has created Zerodisclo.com to facilitate the escalation of vulnerabilities in a secure and even anonymous way and put in touch the different actors working for a safer Internet.

Thanks to Zerodisclo several obstacles are removed: no login, anonymization of the report via the Tor (.onion) network and mandatory and automatic encryption of the report content with the public PGP key of the CERT chosen.

The list of CERTs included in ZeroDisclo.com

Please find below the infographic of ZeroDisclo.com

Interview of Gilles Cadignan – CEO & Co-Founder of Woleet

First of all, can you introduce us to Woleet?

Woleet.io was founded in Rennes in 2016. Woleet is a data anchoring platform using the Bitcoin blockchain. To sum up, we provide a SaaS platform that receives digital fingerprints of data and proceeds to anchor them in Bitcoin by linking these fingerprints to a transaction having a certain date. To achieve this, Woleet builds a cryptographic structure that allows multiple fingerprints to be put together in a single transaction.

The use of Woleet has many benefits:

Once anchored in the blockchain, verification of proof of existence dated and free for anyone with data, anchor receipt and Internet access to retrieve the relevant Bitcoin transaction.
Confidentiality is preserved, Woleet only deals with digital fingerprints, which can be improved with meta-data for information purposes.
No need to have bitcoins to use our service, as Woleet takes care of interacting with the blockchain by building transactions.

Ok but why does the partnership Woleet and YesWeHack make sense?

Well, Yes We Hack is actually a nice team : they like to chat and laugh around a beer 😉

More seriously, the Woleet and YesWeHack partnership came quite logically following a meeting held in Rennes in December 2016 on the framework of the EuroCyberWeek.

The technology and the start-up spirit offered by Woleet fit perfectly with YesWeHack’s know-how. You know the concept of blockchain is too often used as a buzz word. Too often, so called experts talk about it but very few know what it is really. Concretely, the synergy between Woleet, YesWeHack and its partner Digital Security took place in record time (less than 3 weeks), that synergy made it possible very effectively to integrate all the skills to the benefit of the project Zerodisclo.com.

Thanks to the meeting of Woleet and YesWeHack, the blockchain finally finds a relevant and concrete use-case to better secure the Internet.

Woleet is very proud to have contributed to its measure to this useful initiative for the public interest. Obviously, it is a smart and good way for Woleet to promote our skills and vision.

So from your point of view : why is zerodisclo.com a good usecase?

Yes We Hack wanted for its Zerodisclo.com service to have irrefutable proof of integrity and time-stamping for vulnerability reports transmitted via the Zerodisclo.com. An open and verifiable proof by all without intermediary. The choice of anchoring the integrity and time-stamp data for these vulnerability reports was self-evident. By anchoring them in the blockchain, the service offered full transparency without revealing any information about the source or content about the discovered vulnerability. The anchoring of data in the blockchain coupled with the electronic signature thus ensures an increased degree in terms of irrefutable traceability for each party, both for the security researcher and for the company concerned by the vulnerability.

Zerodisclo.com was launched during the FIC2017 and it showed very genuinely that an idea can become operational and efficient when all the stakeholders involved contribute with a common interest. This notable exercise reveals the quality of startups in France and furthermore in Europe.

Zerodisclo is therefore an ambitious project aimed at strengthening information systems by facilitating the reporting of vulnerabilities by some good Samaritans. Innovation is at this stage rather unique, Zerodisclo.com is a non-profit tool to better protect bug reporters by putting in the loop the official CERTs that will have the responsibility to warn the organizations concerned.

By the way, next march 29 in Paris for Hackpero.com at Ecole 42, i will take the floor with Guillaume from YesWeHack to present the synergy we made within the project : ZeroDisclo.com !

Can you tell us more about the evolutions of Woleet?

After a year of various experiments with several customers, Woleet is entering a phase of production of the various projects. By focusing solely on mature low-level uses, we differentiate ourselves from the only experimental approach of the majority of current blockchain projects. Beyond the implementation of the projects based on the Woleet platform, we owe many projects such as the standardization work on proofs, carried out jointly with several other international startups with authorities such as the W3C. At R&D level, we are working on the next primitives that we intend to provide as an alternative to the digital signature based on the Bitcoin protocol, we also provide tools for the management of digital assets, always on Bitcoin. To lead all these projects, we will have to make our team grow and welcome passionate people who want to participate in – what we think is – a revolution at least as big as the Internet revolution.

ZeroDisclo.com : IT Security Researchers finally Protected

In constant contact with its community of security researchers, YesWeHack has noted that it is complex for a security researcher and therefore, for a whistle-blower to report security flaws -in a  coordinated way – to impacted organizations. Especially if those organizations do not have a Bug Bounty program registered on BountyFactory.io !

Vulnerability discoverers often experience difficulties on how to report them to the organizations concerned without disclosing them to a third party and unfortunately direct contact with companies constitutes a legal risk.

A long-time partner of the security research community through its founders, YesWeHack launches ZeroDisclo.com.

This platform provides the technical means and the required environment for all to adopt the coordinated reporting of vulnerabilities commonly known as “Coordinated Vulnerability Disclosure“.

The platform, which can be accessed directly or via the Tor network, offers any Internet user the opportunity to report a vulnerability to CERTs™ via an on-line form, providing the necessary information to understand and evaluate its severity through its CVSS score. The researcher can then choose to remain anonymous or provide his identity if he/she wishes to be contacted, or even thanked in return.

The report will be encrypted via OpenPGP plus the key of the CERT™ in the very browser, time-stamped, signed by the Blockchain and forwarded automatically to the CERTs™ chosen from an exhaustive list.

In exchange, the researcher receives a certificate attesting to his/her submission.

Currently, the CERTs™ selected by ZeroDisclo.com are the CERT-EU, CERT-FR, and the CERT-UBIK created by Digital Security dedicated to the Internet of things. Moreover, organizations can subscribe to ZeroDisclo.com in order to monitor in real time, the flaws concerning their systems and -if necessary- to contact the relevant CERTs™ in order to know the details.

ZeroDisclo.com aims at empowering the community, for security researchers to prove their good faith. ZeroDisclo.com offers an efficient and ethical alternative to services disclosing vulnerabilities on the Internet and on the black market.

Founded in 2013, YesWeHack connects organizations or projects with IT security needs with skilled people.

4 interdependent platforms are available:

– YesWeHack Jobboard: the first job site specializing in computer security.
– Bounty Factory: Bug Bounties’ first European platform.
– FireBounty: Bug Bounties aggregator.
– ZeroDisclo: Vulnerability Reporting Platform.


References


Press contact: presse@yeswehack.com


YES WE HACK © 2017 | Our Job Board | Our Bounty Factory | Events | Press