Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Full Disclosure Debate - NBT 5

60 views

Published on

Fun debate between @viss and @caseyjohnellis on the merits and drawbacks of Full Disclosure.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Full Disclosure Debate - NBT 5

  1. 1. The Full Disclosure Debate VS @viss @caseyjohnellis NBTCon HackerFight Dec 1, 2018
  2. 2. FULL DISCLOSURE IS BAD, M’KAY caseyjohnellis - founder/chair/cto @bugcrowd
  3. 3. Disagreeing with Full Disclosure == Disagreeing with Death and Taxes
  4. 4. What is Full Disclosure? • Technically, it means publicly dropping 0- day before you tell the vendor about the vuln. • Realistically, it’s also interpreted to mean pre-fix, post-deadline, public disclosure in a CVD timeline. • Basically, public disclosure + vuln not fixed = full disclosure. • …also, words are hard.
  5. 5. tl;dr: This.
  6. 6. Why is Full Disclosure like Death and Taxes? • tl;dr: It’s because proactive vulnerability disclosure isn’t a normal thing yet. • Failure to prepare on the recipient-side leads to the use of the “lever of last resort” • Intake, Communication, Remediation • Parts of the Internet will always suck at proactive disclosure, ergo FD will always be a thing • Proactive Vulnerability Disclosure removes the need for Full Disclosure. “debate against me all you like, I still don’t give a shit” - FD Honey Badger
  7. 7. “OK, now shuttup and argue with it.”
  8. 8. Why it’s bad. 1. OMG 0DAYZ!!! Full Disclosure gives unsophisticated actors easy access to complex attacks. 5/10 - Meh, true… but 0ld-day is a bigger culprit. 
 *cough* wannacry *cough*
  9. 9. Why it’s bad. 2. ZOMG h4X0RS!!! The alarm and general fuss that accompanies Full Disclosure reinforces the “US vs THEM” stereotype of the hacker community, and lumps good-faith hackers back in with the the malicious ones. 7/10 - Ok, fair point.
  10. 10. Why it’s bad. 3. ZOMG keep away!!! Full Disclosure scares the shit out of the people who need to sign-off on proactive vulnerability disclosure. This slows proactive VDP/CVD adoption down, which makes FD more likely. 10/10 - That’s bad, m’kay.
  11. 11. Why it’s bad. 4. ZOMG I wanna be like @viss There are literally thousands of net-new people joining the fight. They’re enthusiastic and many have skill… but they all come in with ZERO context on the nuances of Full Disclosure. The twitter/im/press ruckus around Full Disclosures teach them to escalate their findings prematurely, creating a negative behavioral spiral which impacts the entire good-faith hacker ecosystem. 12/10 - A++++ WOULD DEBATE AGAIN
  12. 12. As all good debates should finish…
  13. 13. BONUS ROUND RJE: remote-journalist-execution hyped low-criticality FDs + click happy journalists = we ALL end up as the boy who cried wolf ∞/10 - please stop.
  14. 14. fin. @bugcrowd @caseyjohnellis

×