2020-036-Katie Moussouris, Vulnerability Coordination Maturity Model, when are you ready for a bug bounty - Part 1

Introduce Katie (bio) (@k8em0) CEO and Owner, LutaSecurity The scope of the VCMM (what is it?) VCMM - Vulnerability Coordination Maturity Model  https://www.lutasecurity.com/vcmm Just covers the internal process? To ready an org for a bug bounty program or to accept vulns from security researchers? You mentioned not playing whack-a-mole, when it comes to responding at the beginning of a vuln disclosure program. Is the directing of different categories of bugs one of the things that goes into not having to just wait for the bugs to roll in? Will this work for internal security or red teams as well, or is this more suited to bug bounties? What's the timeline for this process? "We need something for a product launch next week…" Stakeholders involved? CISO? Security team? IT? Devs? What precipitates the need for this? Maturity? Vuln Disclosure?  Are the ISO docs required for this to work, or will they assist in an easier outcome? https://blog.rapid7.com/2017/12/19/nist-cyber-framework-revised-to-include-coordinated-vuln-disclosure-processes/ https://www.rsaconference.com/industry-topics/video/bug-bounty-programs-arent-enough-for-todays-cyber-threats-katie-moussouris-rsac  10 worst jobs (popsci article): https://web.archive.org/web/20070712070214/https://www.popsci.com/popsci/science/0203101256a23110vgnvcm1000004eecbccdrcrd.html https://www.nbcnews.com/tech/security/how-teenage-fortnite-player-found-apple-s-facetime-bug-why-n963961 How does an org use this to communicate vulnerabilities in their own products?  What's the bare minimum you need on this chart for a successful program? Are any facets more important than the others? Does anyone hit all 3s, or is that a pipedream? Incentive "no legal action will be taken". People want money… not tours, not 10-point font. How do you convince 'good' bug writers to want to help you for a 'thank you'? Should incentive be a 'Level 3' or would you consider it not ready for prime-time? https://www.zdnet.com/article/yahoo-changes-bug-bounty-policy-following-t-shirt-gate/ Vuln reporting Lots of Twitter fodder of companies that handle vuln disclosure poorly, even folks say that you shouldn't bother and deal with a 3rd party. If a company is taking bugs and doing all the baseline items, what are some other things they could do to make security disclosure easier?Security.txt? Clearly stated bugs@ or Security@ (and not buried in 3 point font in the privacy policy, or ToS) SLA to reply to all bugs? Standardized disclosure form for discoveries? Slide Presentation Overview: https://7bb97855-c50f-4dce-9a1c-325268684c64.filesusr.com/ugd/ed9b4b_f04d16446542494887906777a39204bf.pdf ISO 29147:2018 - $150 USD https://www.iso.org/standard/72311.html ISO 30111:2019 - $95 USD https://www.iso.org/standard/69725.html ISO 27034-7:2018 - $150 USD https://www.iso.org/standard/66229.html  Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email [email protected] #AmazonMusic: https://brakesec.com/amazonmusic  #Brakesec Store!: https://brakesec.com/teepub  #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://brakesec.com/pandora  #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec