coordinated vulnerability disclosure · • ryan gillis – vice president, cybersecurity strategy...
TRANSCRIPT
Coordinated
Vulnerability
Disclosure
Overview CVD Workshop
Speakers:
• Hans de Vries – Head of National Cyber Security Centre of the
Netherlands
CVD good practices, dutch approach
• Joshua Corman – I am The Cavalry
CVD from the researcher’s perspective
• Ryan Gillis – Vice President, Cybersecurity Strategy and Global Policy at
Palo Alto Networks
CVD good practices of organisations, manifesto
• Szilvia Tóth – Ministry of Foreign Affairs of Hungary
& Mihaela Popescu – Ministry of Foreign Affairs of Romania
Expert meetings in this initiative & a look ahead
Coordinated Vulnerability Disclosure The Dutch Approach
Hans de Vries (NCSC-NL)
Washington, June 1st 2016
Agenda
• Guiding Principles NCSC-NL
• The Dutch Approach
• Our experiences
• Looking to the present and future
Coordinated Vulnerability Disclosure | June 1st, 2016
Guiding Principles NCSC-NL
• Multi stakeholder approach
• Connecting and strengthening initiatives
• Public – Private Partnerships
• Individual responsibility
• Self-regulation where possible
• Proportionate measures and regulation
• Shared responsibilities between departments
• International cooperation
Coordinated Vulnerability Disclosure | June 1st, 2016
Corporate website
Login
Password
The Dutch approach
• Provide guidelines with focus on good cooperation between vulnerability researcher and organisation and clear expectations
• If all goes well, only role of the government is facilitator and promoter
Coordinated Vulnerability Disclosure | June 1st, 2016
Guidelines, no law
• The Ministry of Security and Justice and Public Prosecution Service support and advocate guidelines
• Public Prosecution Service ultimately still has the discretion to prosecute, for instance when a reporter goes ‘too far’ despite of agreed terms, of course this also holds true for organisations
• Policy is an agreement between organisation and reporter
• Reporter and organisation agree to adhere to published policy, organisation promises not to file a complaint with the Police
• Jurisprudence/Case law: Guidelines cited by judge in several criminal cases
Coordinated Vulnerability Disclosure | June 1st, 2016
Our experiences
• Many organisations have published a policy
• Good comments from both reporters and organisations
• Many good quality reports
• Mostly website vulnerabilities, but also 0-days
• Reporters getting hired instead of arrested
• Organisations put fixing found vulnerabilties in supplier contracts
• Organisations take opportunity to improve software development, testing and incideng handling procedures
Coordinated Vulnerability Disclosure | June 1st, 2016
Coordinated Vulnerability Disclosure | June 1st, 2016
So why listen to someone who owned you?
• Find vulnerabilities in your systems
• Show people that you care about their information
• Involve community in keeping your organisation secure
• Have reporters disclose responsibly
• Make the world a better and safer place!
A win-win situation!
Coordinated Vulnerability Disclosure | June 1st, 2016
Looking to the present and future
• Adoption by international companies makes other organisations also see the advantages of CVD and its positive reputation effects
• Who is liable ? Organisation using the software, the reporter or the company that made the software?
• Several private companies help to further develop CVD and promote the principles
• Security vs safety, CVD in this respect has a lot of challenges, like how to disclose vulnerabilities in critical infrastructure, medical equipment and automotive
• We need more good international examples!
Coordinated Vulnerability Disclosure | June 1st, 2016
Coordinated Vulnerability Disclosure Manifesto
New signatories welcome!
Coordinated Vulnerability Disclosure | June 1st, 2016
Coordinated Vulnerability Disclosure | June 1st, 2016
Speakers