Read on Twitter
As somebody who cares a lot about vulnerability disclosure (vulnerability management is my actual job) I'm finding the whole @DI_Security / @salltweets / @joinagiggle really interesting. So often we get responsible disclosure wrong, so we go back, we adapt and we education....1/x
..., we improve. But in this case Jay did pretty much everything by the letter of best practise and is taking absolute pelters from both the owner and her supporters.
But what's really interesting is what said in some of those replies. It's making me think that......
But what's really interesting is what said in some of those replies. It's making me think that......
.. how we deal with big mature vendors really doesn't translate to how we deal with small startup vendors. I've worked in that space. @tnash a& I sat through loads of pitches by people with little technical background but a solid gold idea, if only we'd develop their app for them
...they care passionately about their project, but in a lot of cases having an app built was no different to a goods reseller buying in stock before adding their own USP and reselling.
But we're used to dealing with corps who have security teams and VDPs and understand InfoSec..
But we're used to dealing with corps who have security teams and VDPs and understand InfoSec..
..what happens when we're talking to a company (and I'm not saying this is the case at giggle), they're built something either in-house with a small dev team, or outsourced it. Done what they feel is good due diligence (even paid fro a weeks web app pentesting) and we rock up....
.... calling their baby ugly (or at least insecure).
I understand it from their side. I genuinely do. They've probably never heard of a VDP or dealt with a breach and getting defensive when you feel attacked is normal. In the case utterly counter productive, but normal.
I understand it from their side. I genuinely do. They've probably never heard of a VDP or dealt with a breach and getting defensive when you feel attacked is normal. In the case utterly counter productive, but normal.
The responses from their community are most interesting (gender politics aside).
For example
https://twitter.com/WashingtonFem/status/1303718749057425408
We take it for granted they see it as favour. This isn't some skid demanding a bounty payment, it's genuine responsible disclosure. We can all see that ....
For example
https://twitter.com/WashingtonFem/status/1303718749057425408
We take it for granted they see it as favour. This isn't some skid demanding a bounty payment, it's genuine responsible disclosure. We can all see that ....
.. bet I also get how they wouldn't.
There are other similar ones where the community decided they were being attacked.
We know the approach was genuine and benevolent, but how can WE as an industry better get that across?
There are other similar ones where the community decided they were being attacked.
We know the approach was genuine and benevolent, but how can WE as an industry better get that across?
Our "Responsible Disclosure" approach works moderately well for orgs that have dealt with vuln disclosure before but do we need a different (& std) approach for others?
We'd never dream of emailing a company about vulns. We *know* that just doesn't work, but maybe we should try?
We'd never dream of emailing a company about vulns. We *know* that just doesn't work, but maybe we should try?
