Katie Moussouris 5 Posted July 19, 2019 In a world where nobody writes perfect code or keeps up with applying patches for known vulnerabilities, there exist people who try to warn others. Sometimes lauded as heroes of the internet, other times treated like outlaws, this is a place to post the best & the worst of vulnerability disclosure related experiences. Whether you're a finder, coordinator, or receiving party to vuln disclosure, there is much to discuss in this often misunderstood space. 2 Share this post Link to post
Katie Moussouris 5 Posted July 20, 2019 Let's start with the light (dark?) side of vulnerability disclosure: The Pwnie Awards. 🦄 There's still time for a nomination for Lamest Vendor Response! Enter here: https://docs.google.com/forms/d/e/1FAIpQLSfZlVxAuoMaHgZVrzNWREccbqXrJcqIST_4Z2F12a3VbqfJhg/viewform 1 Share this post Link to post
Yuu Chan 12 Posted July 23, 2019 My favorite is still this one: I disclosed a number of vulns, including their private keys to the production environment and an exposed vulnerable router via SSRF. "Thanks, but why?" 1 4 Share this post Link to post
Quentyn Taylor 2 Posted July 31, 2019 i reported one to a major cloud provider and their response was to state that 1, the vulnerability did exist but had been closed in 2014 2, my own email must have been hacked well i hope that it wasnt 2* but i found it by accident in 2017... yes they are a household name and so big its impossible to get to the right team ( even have email header evidence) - oh well its fixed for me at least. Q oh another one from a *looooong* time ago was with a major lock manufacturer, if you nmapped their lock control server it rebooted and err unlocked all the connected locks ( for H&S reasons) we tried to get them to fix it, they ignored us then asked us if we were threatening them... we buried the system deep with a single machine on a dedicated vlan eventually Share this post Link to post
Jonny Schnittger 9 Posted August 1, 2019 My personal favorite is when they don't respond. You know they got the notification, the issue is quietly fixed (or not lol) and nothing... 1 Share this post Link to post
Sherman Chu 8 Posted August 6, 2019 Hey folks, What are some of the best practices an organization should have when it comes to running an effective vuln disclosure program? Share this post Link to post
Katie Moussouris 5 Posted August 6, 2019 This is a 20 minute video covering the ISO standards for vulnerability disclosure (ISO 29147) & vulnerability handling processes (ISO 30111). They've been updated since the versions this video is based on. One is out already, the other forthcoming later this year. https://www.iso.org/standard/72311.html https://www.iso.org/standard/53231.html 1 Share this post Link to post