CH14 Vulnerability Disclosure

Question 1

At what stage of the SSDLC does the Vulnerability Disclosure come

Answer 1

The Security Response Stage

Question 2

A vulnerability researcher can report a vulnerability into what 4 possible mediums?

Answer 2

Responsible Disclosure to a vendor
Full disclosure for the internet
National Security Market to Nation States
Black Market for Criminals

Criminals and Nation States will feed this back as a System Exploit to the System Owner

Vendors can make patches that can be added to a Full disclosure publication

Question 3

Full Disclosure

Answer 3

Publishing vulnerabilities immediatley to the public without restriction

Creates pressures on vendors (big economic incentive)
Forces vendors to patch quickly (and customers to install/implement patches quickly)

Question 4

Responsible Disclosure

Answer 4

Publishing vulnerabilities after a mitigation period to the public

“invented” around 2004

Creates pressures on vendors to react within mitigation-period typical mitigation period: 90 days (can be case by case, with vendor)

Allows vendors to distribute patches to their customers “in private”

If they fail to react, vulnerability is published without restrictions

Question 5

Selling Vulnerabilities

Answer 5

Zerodium buys exploits and sells them to government clients

Sells prices depending on exploit

Sells for
RCE: Remote Code Execution
LPE: Local Privilege Escalation
SBX: Sandbox Escape or Bypass
VME: Virtual Machine Escape

Question 6

Bug Bounty Programs

Answer 6

“Guide” security researcher by rewarding them for finding (certain types of) vulnerabilities in products

The idea is to create a win-win situation:
- security are encouraged to look at specific products (increases security of that product and supports vendor internal activities)
- Security researchers get a reward for their work
- can be organized by a vendor or outsourced

Question 7

If you found a vulnerability

Answer 7

be careful - always consult a lawyer (or very experienced party)
check if the vendor has published guidelines

Question 8

5 stages within security response

Answer 8

Report: A security reseacher submits a vulnerability report

Validate: Analyst validates the report

Triage: the analyst triages the report

Remediate: Engineering develops a remediation plan

Disclose: the vendor discloses the vulnerability to the public (or customers)

Question 9

What in essence is the security response

Answer 9

the acitvity of responding to vulnerability reported in your organisation’s product or service

part of the large ecosystem of product secuirty; integrating security processes into the software development lifecycle

not “vulnerability management”

Question 10

Why 90 days for a vulnerability triage from a vendor can be short

Answer 10

finding the responsible for triaging a vulnerability can take a few days

clarifying details with the security researcher can take weeks

developing a fix often only takes hours after the problem is understood

testing that a security fix does not introduce unwanted changes and can take months