Preview Mode Links will not work in preview mode

Oct 11, 2020

Introduce Katie (bio) (@k8em0) CEO and Owner, LutaSecurity

The scope of the VCMM (what is it?)

VCMM - Vulnerability Coordination Maturity Model 

https://www.lutasecurity.com/vcmm

Just covers the internal process? To ready an org for a bug bounty program or to accept vulns from security researchers?

You mentioned not playing whack-a-mole, when it comes to responding at the beginning of a vuln disclosure program. Is the directing of different categories of bugs one of the things that goes into not having to just wait for the bugs to roll in?


Will this work for internal security or red teams as well, or is this more suited to bug bounties?

What’s the timeline for this process? “We need something for a product launch next week…”

Stakeholders involved? CISO? Security team? IT? Devs?

What precipitates the need for this? Maturity? Vuln Disclosure? 

Are the ISO docs required for this to work, or will they assist in an easier outcome?

https://blog.rapid7.com/2017/12/19/nist-cyber-framework-revised-to-include-coordinated-vuln-disclosure-processes/

https://www.rsaconference.com/industry-topics/video/bug-bounty-programs-arent-enough-for-todays-cyber-threats-katie-moussouris-rsac 

10 worst jobs (popsci article): https://web.archive.org/web/20070712070214/https://www.popsci.com/popsci/science/0203101256a23110vgnvcm1000004eecbccdrcrd.html

https://www.nbcnews.com/tech/security/how-teenage-fortnite-player-found-apple-s-facetime-bug-why-n963961

How does an org use this to communicate vulnerabilities in their own products? 

What’s the bare minimum you need on this chart for a successful program? Are any facets more important than the others? Does anyone hit all 3s, or is that a pipedream?

Incentive “no legal action will be taken”. People want money… not tours, not 10-point font. How do you convince ‘good’ bug writers to want to help you for a ‘thank you’? Should incentive be a ‘Level 3’ or would you consider it not ready for prime-time?

https://www.zdnet.com/article/yahoo-changes-bug-bounty-policy-following-t-shirt-gate/

Vuln reporting

Lots of Twitter fodder of companies that handle vuln disclosure poorly, even folks say that you shouldn’t bother and deal with a 3rd party.

If a company is taking bugs and doing all the baseline items, what are some other things they could do to make security disclosure easier?

Security.txt?

Clearly stated bugs@ or Security@ (and not buried in 3 point font in the privacy policy, or ToS)

SLA to reply to all bugs?

Standardized disclosure form for discoveries?

Slide Presentation Overview: https://7bb97855-c50f-4dce-9a1c-325268684c64.filesusr.com/ugd/ed9b4b_f04d16446542494887906777a39204bf.pdf

ISO 29147:2018 - $150 USD

https://www.iso.org/standard/72311.html

ISO 30111:2019 - $95 USD

https://www.iso.org/standard/69725.html

ISO 27034-7:2018 - $150 USD

https://www.iso.org/standard/66229.html 

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#AmazonMusic: https://brakesec.com/amazonmusic 

#Brakesec Store!: https://brakesec.com/teepub 

#Spotifyhttps://brakesec.com/spotifyBDS

#Pandorahttps://brakesec.com/pandora 

#RSShttps://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloudhttps://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypalhttps://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter@brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec