Nov 21, 2021
https://twitter.com/Esquiring - Fred Jennings
Vulnerabilities Equity program (VEP), vuln disclosure program (VDP), and what is the best way for disclosure of 0day? (‘proper’ is different and dependent)
This show was inspired by this
Tweet thread from @k8em0 and @_MG_
Legal Safe Harbor? Copy-left for security researchers…?
What is a VEP? Not a new concept (2014)
Context: Was written when Heartbleed came out.
About transparency, but within reason
“We have also established a disciplined, rigorous and high-level decision-making process for vulnerability disclosure. This interagency process helps ensure that all of the pros and cons are properly considered and weighed. While there are no hard and fast rules, here are a few things I want to know when an agency proposes temporarily withholding knowledge of a vulnerability:
How much is the vulnerable system used in the core internet infrastructure, in other critical infrastructure systems, in the U.S. economy, and/or in national security systems?
Does the vulnerability, if left unpatched, impose significant risk?
How much harm could an adversary nation or criminal group do with knowledge of this vulnerability?
How likely is it that we would know if someone else was exploiting it?
How badly do we need the intelligence we think we can get from exploiting the vulnerability?
Are there other ways we can get it?
Could we utilize the vulnerability for a short period of time before we disclose it?
How likely is it that someone else will discover the vulnerability?
Can the vulnerability be patched or otherwise mitigated?”
Gov orgs involved in VEP: https://en.wikipedia.org/wiki/Vulnerabilities_Equities_Process
Companies have VEP (every time they issue a patch), but they aren’t always transparent about it. Embargoes a plenty. https://www.redhat.com/en/blog/security-embargoes-red-hat
https://xenproject.org/developers/security-policy/ (creates a caste system of ‘haves and not-haves’... important vs. not important) bad guys will target people not on the inside.
0day benefit from non-transparent VEP. https://www.randori.com/blog/why-zero-days-are-essential-to-security/
Randori had 365day… https://twitter.com/_MG_/status/1459024603263557633
Preferred patch 8.1.17, issued october 2020
VEP does not always have to be 0day… can be solutions to issues: https://www.techdirt.com/articles/20210922/17095747614/fbi-sat-ransomware-decryption-key-weeks-as-victims-lost-millions-dollars.shtml
“The FBI refrained for almost three weeks from helping to unlock the computers of hundreds of businesses and institutions hobbled by a major ransomware attack this summer, even though the bureau had secretly obtained the digital key needed to do so, according to several current and former U.S. officials.
The key was obtained through access to the servers of the Russia-based criminal gang behind the July attack. Deploying it immediately could have helped the victims, including schools and hospitals, avoid what analysts estimate was millions of dollars in recovery costs.
In a perfect world, what does disclosure look like?
Communication (easy, secure, detailed… pick 1)
Separating wheat from chaff - ‘lol, i got root, pay me plz’
Fear of NDAs and gag clauses
Do people expect to be paid?
Setup of a ‘cheap’ program? What if you don’t have a budget to pay out (or more accurately, mgmt won’t pay out)? People won’t disclose? Should you pay? Use a 3rd party?