Preview Mode Links will not work in preview mode

Nov 21, 2021

https://twitter.com/Esquiring - Fred Jennings

 

Vulnerabilities Equity program (VEP), vuln disclosure program (VDP), and what is the a way for disclosure of 0day? (‘proper’ is different and dependent)

 

This show was inspired by this Tweet thread from @k8em0 and @_MG_
https://twitter.com/k8em0/status/1459715464691535877


https://twitter.com/_MG_/status/1459718518346174465

 

Legal Safe Harbor? Copy-left for security researchers…?



What is a VEP? Not a new concept (2014)

https://obamawhitehouse.archives.gov/blog/2014/04/28/heartbleed-understanding-when-we-disclose-cyber-vulnerabilities

Context: Was written when Heartbleed came out.

About transparency, but within reason

From the blogpost:
“We have also established a disciplined, rigorous and high-level decision-making process for vulnerability disclosure. This interagency process helps ensure that all of the pros and cons are properly considered and weighed. While there are no hard and fast rules, here are a few things I want to know when an agency proposes temporarily withholding knowledge of a vulnerability:

 

How much is the vulnerable system used in the core internet infrastructure, in other critical infrastructure systems, in the U.S. economy, and/or in national security systems?

Does the vulnerability, if left unpatched, impose significant risk?

How much harm could an adversary nation or criminal group do with knowledge of this vulnerability?

How likely is it that we would know if someone else was exploiting it?

How badly do we need the intelligence we think we can get from exploiting the vulnerability?

Are there other ways we can get it?

Could we utilize the vulnerability for a short period of time before we disclose it?

How likely is it that someone else will discover the vulnerability?

Can the vulnerability be patched or otherwise mitigated?”

 

Gov orgs involved in VEP: https://en.wikipedia.org/wiki/Vulnerabilities_Equities_Process

 

Assessing the Vulnerabilities Equities Process, Three Years After the VEP Charter

 

Companies have VEP (every time they issue a patch), but they aren’t always transparent about it. Embargoes a plenty. https://www.redhat.com/en/blog/security-embargoes-red-hat

https://xenproject.org/developers/security-policy/  (creates a caste system of ‘haves and not-haves’... important vs. not important) bad guys will target people not on the inside.

 

0day benefit from non-transparent VEP. https://www.randori.com/blog/why-zero-days-are-essential-to-security/

 

Randori had 365day… https://twitter.com/_MG_/status/1459024603263557633

https://twitter.com/JimSycurity/status/1459152870490574854

Preferred patch 8.1.17, issued october 2020

 

VEP does not always have to be 0day… can be solutions to issues: https://www.techdirt.com/articles/20210922/17095747614/fbi-sat-ransomware-decryption-key-weeks-as-victims-lost-millions-dollars.shtml

The FBI refrained for almost three weeks from helping to unlock the computers of hundreds of businesses and institutions hobbled by a major ransomware attack this summer, even though the bureau had secretly obtained the digital key needed to do so, according to several current and former U.S. officials.

The key was obtained through access to the servers of the Russia-based criminal gang behind the July attack. Deploying it immediately could have helped the victims, including schools and hospitals, avoid what analysts estimate was millions of dollars in recovery costs.

 

In a perfect world, what does disclosure look like?

 

Communication (easy, secure, detailed… pick 1)

Separating wheat from chaff - ‘lol, i got root, pay me plz’

 

Fear of NDAs and gag clauses

Do people expect to be paid?

Setup of a ‘cheap’ program? What if you don’t have a budget to pay out (or more accurately, mgmt won’t pay out)? People won’t disclose? Should you pay? Use a 3rd party?