Coordinated Vulnerability Disclosure

Transcription

1 Coordinated Vulnerability Disclosure

2 Overview CVD Workshop Speakers: Hans de Vries Head of National Cyber Security Centre of the Netherlands CVD good practices, dutch approach Joshua Corman I am The Cavalry CVD from the researcher s perspective Ryan Gillis Vice President, Cybersecurity Strategy and Global Policy at Palo Alto Networks CVD good practices of organisations, manifesto Szilvia Tóth Ministry of Foreign Affairs of Hungary & Mihaela Popescu Ministry of Foreign Affairs of Romania Expert meetings in this initiative & a look ahead

3 Coordinated Vulnerability Disclosure The Dutch Approach Hans de Vries (NCSC-NL) Washington, June 1st 2016

4 Agenda Guiding Principles NCSC-NL The Dutch Approach Our experiences Looking to the present and future Coordinated Vulnerability Disclosure June 1st, 2016

5 Guiding Principles NCSC-NL Multi stakeholder approach Connecting and strengthening initiatives Public Private Partnerships Individual responsibility Self-regulation where possible Proportionate measures and regulation Shared responsibilities between departments International cooperation Coordinated Vulnerability Disclosure June 1st, 2016

6 Corporate website Login Password

7 The Dutch approach Provide guidelines with focus on good cooperation between vulnerability researcher and organisation and clear expectations If all goes well, only role of the government is facilitator and promoter Coordinated Vulnerability Disclosure June 1st, 2016

8 Guidelines, no law The Ministry of Security and Justice and Public Prosecution Service support and advocate guidelines Public Prosecution Service ultimately still has the discretion to prosecute, for instance when a reporter goes too far despite of agreed terms, of course this also holds true for organisations Policy is an agreement between organisation and reporter Reporter and organisation agree to adhere to published policy, organisation promises not to file a complaint with the Police Jurisprudence/Case law: Guidelines cited by judge in several criminal cases Coordinated Vulnerability Disclosure June 1st, 2016

9 Our experiences Many organisations have published a policy Good comments from both reporters and organisations Many good quality reports Mostly website vulnerabilities, but also 0-days Reporters getting hired instead of arrested Organisations put fixing found vulnerabilties in supplier contracts Organisations take opportunity to improve software development, testing and incideng handling procedures Coordinated Vulnerability Disclosure June 1st, 2016

10 Coordinated Vulnerability Disclosure June 1st, 2016

11 So why listen to someone who owned you? Find vulnerabilities in your systems Show people that you care about their information Involve community in keeping your organisation secure Have reporters disclose responsibly Make the world a better and safer place! A win-win situation! Coordinated Vulnerability Disclosure June 1st, 2016

12 Looking to the present and future Adoption by international companies makes other organisations also see the advantages of CVD and its positive reputation effects Who is liable? Organisation using the software, the reporter or the company that made the software? Several private companies help to further develop CVD and promote the principles Security vs safety, CVD in this respect has a lot of challenges, like how to disclose vulnerabilities in critical infrastructure, medical equipment and automotive We need more good international examples! Coordinated Vulnerability Disclosure June 1st, 2016

13 Coordinated Vulnerability Disclosure Manifesto New signatories welcome! Coordinated Vulnerability Disclosure June 1st, 2016

14 Coordinated Vulnerability Disclosure June 1st, 2016

15

16 Speakers