YesWeHack organises bug bounty programmes to disclose and correct vulnerabilities before malicious tools get in. A year after joining the Paris Call, we look back at how have we contributed to furthering peace in the cyberspace.
Category: Vulnerability Coordination
In March 2019, the EU Parliament adopted the Cybersecurity Act. The EU Cybersecurity Act aims to strengthen the role of the European Agency for Network and Information Security (ENISA) and introduces a common certification framework for ICT products (Hardware, Software and Services).
Before this, in 2018, the European Commission advocated the creation of a network of Cybersecurity expertise centers to reinforce research and the deployment of new capabilities in the European Union.
The European Commission has pushed to invest more than €2 billion to reinforce cybersecurity in the Digital Europe Program along with the H2020 Program, with €63.5 million invested in four pilot projects.
One of the four funded projects is called SPARTA, bringing together 44 partners. As a SPARTA partner, YesWeHack asserts its role in advocating operational Coordinated Vulnerability Disclosure and Crowd-sourced security at the European level.
Since its creation in 2013, YesWeHack has been defending and promoting Coordinated Vulnerability Disclosure.
In March 2018, YesWeHack CEO Guillaume Vassault-Houlière and Romain Lecoeuvre (CTO) contributed to the ground-breaking report on Software Vulnerability Disclosure processes in Europe published by CEPS experts including Lorenzo Pupillo, Afonso Ferreira and Gianluca Varisco.
As a result, only the Netherlands, followed closely by France, have a decent national CVD policy. Needless to say, a huge amount of work remains to be done in this field.
A mapping of the state of play, by country | Source CEPS’ own elaboration.
Back in 2016, France – through its National Cybersecurity Agency of France aka ANSSI – included Vulnerability Disclosure in its revised legislative framework. ( Source > Law for a Digital Republic Article 47 )
Let us take a look at how Coordinated Vulnerability Disclosure (CVD) is incentivized and framed by the EU Cyber Security Act.
Assessment
For the past ten years or so, organizations have been trying to implement operational policies to avoid “Full Disclosure” reports or “Open Bug Bounty” whose methods are not that good in terms of honesty and responsibility.
Speaking of responsibility, you may be familiar with the notion of “Responsible Disclosure” and you wonder how it differs from the concept of Coordinated Vulnerability Disclosure aka CVD ?
The concept of responsible disclosure has too often been at the root of endless discussions:
On the one hand the vendors denounce “Disclosing a vulnerability without providing patches is not responsible”.
and the other, “Don’t fix this vulnerability as quickly as possible is not responsible”, say security researchers.
During this precious time when both sides argue, the system concerned is at the opponent’s mercy.
In order to move towards greater efficiency and to get out of sterile debates, it is therefore important to avoid speaking of “responsible disclosure”. This is why many organizations advocate the concept of “Coordinated Vulnerability Disclosure” (CVD) in order to promote and strengthen cooperation between the various actors in cybersecurity, all of whom have a common goal: Make the Internet safer.
Coordinated Vulnerability Disclosure
☄ Constat
Depuis une dizaine d’années, les organisations tentent de mettre en place des politiques opérationnelles pour éviter les rapports sauvages de failles ou autre “Full Disclosure” ou “Open Bug Bounty” dont les méthodes laissent à désirer en terme d’honnêteté et de responsabilité.
A propos de responsabilité, vous connaissez peut-être la notion “Divulgation Responsable” ( Responsible Disclosure – chez nos amis anglophones) et vous vous demandez en quoi elle est différente de la Divulgation Coordonnée de Vulnérabilités?
Le concept de divulgation responsable a trop souvent été au cœur de discussions sans fin :
- d’un côté les vendeurs/éditeurs s’insurgent “Divulguer une vulnérabilité sans fournir de patchs n’est pas responsable”
- et de l’autre “Ne pas corriger cette vulnérabilité au plus vite n’est pas responsable”, rétorquent les chercheurs en sécurité.
Pendant ce temps précieux où les parties se chamaillent, le système concerné est à la merci de l’adversaire et ce dernier en profite pour commettre ses méfaits.
Afin de tendre vers plus d’efficacité et sortir des débats stériles, il convient donc d’éviter de parler de “divulgation responsable”. C’est la raison pour laquelle de nombreuses organisations plaident en faveur du concept de “Divulgation Coordonnée de Vulnérabilités” (DCV) afin de promouvoir et renforcer la coopération entre les différents acteurs de la cybersécurité qui tous ont un objectif commun : rendre l’Internet plus sûr.
In constant contact with its community of security researchers, YesWeHack has noted that it is complex for a security researcher and therefore, for a whistle-blower to report security flaws -in a coordinated way – to impacted organizations. Especially if those organizations do not have a Bug Bounty program registered on YesWeHack.com!
Vulnerability discoverers often experience difficulties on how to report them to the organizations concerned without disclosing them to a third party and unfortunately direct contact with companies constitutes a legal risk.
A long-time partner of the security research community through its founders, YesWeHack launches ZeroDisclo.com.
This platform provides the technical means and the required environment for all to adopt the coordinated reporting of vulnerabilities commonly known as “Coordinated Vulnerability Disclosure“.