1
Vulnerability Disclosure
Stephen PattisonBoard Member IOTSF
How Not To Manage It…
15/06/2018 IoTSF Conference London Dec 2016 2
“ "We are aware of the report on Twitter…" an Owlet spokeswoman told us. ”
Making The Best Of It…
15/06/2018 IoTSF Conference London Dec 2016 3
“…triggered Philips to release a firmware patch for owners of its "Hue" connected bulbs. ”
IoT Security FoundationVulnerability Disclosure Guidelines
Vulnerability Disclosure Process Guidelines
Web SiteSample Web Page TextMeans of ContactCommunicating with the ResearcherResolving ConflictTiming of ResponseSecurity AdvisoryCredit where Credit is DueMoneyDiscouraging Damaging Actions
4
Coordinated Vulnerability Disclosure
all IoT product and service suppliers to have a point of contact for security researchers.
a researcher works closely with a company to fix an issue;
the issue is then made public at a mutually agreed time. This minimises the risk and harm to users.
15/06/2018 5
A Quick Win for Companies Easy to setup - in its most basic sense it is literally an email address:
security@[company] and in a slightly more advanced state a webpage ([website]/ security).
- it allows companies to easily be contactable by people who want to let them know about security problems
15/06/2018 6
Key Elements The process should cover both: (i) the report ing of newly discovered security
vulnerabilities and (ii) the public announcement of security
vulnerabilities (usually following the release of a software patch, hardware fix, or other remediation).
15/06/2018 7
Key Elements
Essential that security researchers can bechannelled to the right point of contact so it is imperative that there is an easy-to-find web page
which contains all the necessary information. (Some companies also choose to specify what they consider to be
unacceptable security research (such as that which would lead to thedisclosure of customer data)).
15/06/2018 8
Key Elements The text on your security contact web page should state in what
time frame the security researcher can expect a response; this will typically be a few days, perhaps up to a week.
It is important to communicate with the researcher and explain how you justify your estimated timing.
If the researcher feels that you are not taking their report seriously enough, it may cause a breakdown of the process and premature public disclosure of the vulnerability.
15/06/2018 9
Key Elements A company should not encourage damaging activity. Some security pages explicitly exclude certain types of research – for
example Denial of Service attacks on a site or the hacking into systems in order to expose customer data.
Standard practice as a gesture of goodwill and recognition of security researchers’ efforts to name security researchers who have cooperated in a vulnerability disclosure
15/06/2018 10
Resolving Conflict
Leave the process only after exhausting reasonable efforts to resolve the disagreement;
Leave the process only after providing notice to the other party; Resume the process once the disagreement is resolved.
15/06/2018 11
Some Friends and the Future We do NOT operate a service for disclosures (unlike the GSMA), we
want companies to do this themselves. We are aligned with the GSMA and also with the ISO standard. Emerging consensus that CVD is something that all IoT companies
should implement. We may continue work in this space as best practice evolves around
things like bug bounties and issues like extortion/ blackmail. www.iotsecurityfoundation.org
15/06/2018 12