2021-042- Fred Jennings, VDP, Vuln Equity, And 0day disclosure - p1

https://twitter.com/Esquiring - Fred Jennings Vulnerabilities Equity program (VEP), vuln disclosure program (VDP), and what is the best way for disclosure of 0day? ('proper' is different and dependent) This show was inspired by this Tweet thread from @k8em0 and @_MG_https://twitter.com/k8em0/status/1459715464691535877 https://twitter.com/_MG_/status/1459718518346174465   Legal Safe Harbor? Copy-left for security researchers…? What is a VEP? Not a new concept (2014) https://obamawhitehouse.archives.gov/blog/2014/04/28/heartbleed-understanding-when-we-disclose-cyber-vulnerabilities Context: Was written when Heartbleed came out. About transparency, but within reason From the blogpost:"We have also established a disciplined, rigorous and high-level decision-making process for vulnerability disclosure. This interagency process helps ensure that all of the pros and cons are properly considered and weighed. While there are no hard and fast rules, here are a few things I want to know when an agency proposes temporarily withholding knowledge of a vulnerability: How much is the vulnerable system used in the core internet infrastructure, in other critical infrastructure systems, in the U.S. economy, and/or in national security systems? Does the vulnerability, if left unpatched, impose significant risk? How much harm could an adversary nation or criminal group do with knowledge of this vulnerability? How likely is it that we would know if someone else was exploiting it? How badly do we need the intelligence we think we can get from exploiting the vulnerability? Are there other ways we can get it? Could we utilize the vulnerability for a short period of time before we disclose it? How likely is it that someone else will discover the vulnerability? Can the vulnerability be patched or otherwise mitigated?"   Gov orgs involved in VEP: https://en.wikipedia.org/wiki/Vulnerabilities_Equities_Process   Assessing the Vulnerabilities Equities Process, Three Years After the VEP Charter   Companies have VEP (every time they issue a patch), but they aren't always transparent about it. Embargoes a plenty. https://www.redhat.com/en/blog/security-embargoes-red-hat https://xenproject.org/developers/security-policy/  (creates a caste system of 'haves and not-haves'... important vs. not important) bad guys will target people not on the inside.   0day benefit from non-transparent VEP. https://www.randori.com/blog/why-zero-days-are-essential-to-security/   Randori had 365day… https://twitter.com/_MG_/status/1459024603263557633 https://twitter.com/JimSycurity/status/1459152870490574854 Preferred patch 8.1.17, issued october 2020   VEP does not always have to be 0day… can be solutions to issues: https://www.techdirt.com/articles/20210922/17095747614/fbi-sat-ransomware-decryption-key-weeks-as-victims-lost-millions-dollars.shtml "The FBI refrained for almost three weeks from helping to unlock the computers of hundreds of businesses and institutions hobbled by a major ransomware attack this summer, even though the bureau had secretly obtained the digital key needed to do so, according to several current and former U.S. officials. The key was obtained through access to the servers of the Russia-based criminal gang behind the July attack. Deploying it immediately could have helped the victims, including schools and hospitals, avoid what analysts estimate was millions of dollars in recovery costs.   In a perfect world, what does disclosure look like?   Communication (easy, secure, detailed… pick 1) Separating wheat from chaff - 'lol, i got root, pay me plz' Fear of NDAs and gag clauses Do people expect to be paid? Setup of a 'cheap' program? What if you don't have a budget to pay out (or more accurately, mgmt won't pay out)? People won't disclose? Should you pay? Use a 3rd party?