Coordinated Vulnerability Disclosure · • Ryan Gillis – Vice President, Cybersecurity Strategy and Global Policy at Palo Alto Networks CVD good practices of organisations, manifesto

Coordinated

Vulnerability

Disclosure

Overview CVD Workshop

Speakers:

• Hans de Vries – Head of National Cyber Security Centre of the

Netherlands

CVD good practices, dutch approach

• Joshua Corman – I am The Cavalry

CVD from the researcher’s perspective

• Ryan Gillis – Vice President, Cybersecurity Strategy and Global Policy at

Palo Alto Networks

CVD good practices of organisations, manifesto

• Szilvia Tóth – Ministry of Foreign Affairs of Hungary

& Mihaela Popescu – Ministry of Foreign Affairs of Romania

Expert meetings in this initiative & a look ahead

Coordinated Vulnerability Disclosure The Dutch Approach

Hans de Vries (NCSC-NL)

Washington, June 1st 2016

Agenda

• Guiding Principles NCSC-NL

• The Dutch Approach

• Our experiences

• Looking to the present and future

Coordinated Vulnerability Disclosure | June 1st, 2016

Guiding Principles NCSC-NL

• Multi stakeholder approach

• Connecting and strengthening initiatives

• Public – Private Partnerships

• Individual responsibility

• Self-regulation where possible

• Proportionate measures and regulation

• Shared responsibilities between departments

• International cooperation

Coordinated Vulnerability Disclosure | June 1st, 2016

Corporate website

Login

Password

The Dutch approach

• Provide guidelines with focus on good cooperation between vulnerability researcher and organisation and clear expectations

• If all goes well, only role of the government is facilitator and promoter

Coordinated Vulnerability Disclosure | June 1st, 2016

Guidelines, no law

• The Ministry of Security and Justice and Public Prosecution Service support and advocate guidelines

• Public Prosecution Service ultimately still has the discretion to prosecute, for instance when a reporter goes ‘too far’ despite of agreed terms, of course this also holds true for organisations

• Policy is an agreement between organisation and reporter

• Reporter and organisation agree to adhere to published policy, organisation promises not to file a complaint with the Police

• Jurisprudence/Case law: Guidelines cited by judge in several criminal cases

Coordinated Vulnerability Disclosure | June 1st, 2016

Our experiences

• Many organisations have published a policy

• Good comments from both reporters and organisations

• Many good quality reports

• Mostly website vulnerabilities, but also 0-days

• Reporters getting hired instead of arrested

• Organisations put fixing found vulnerabilties in supplier contracts

• Organisations take opportunity to improve software development, testing and incideng handling procedures

Coordinated Vulnerability Disclosure | June 1st, 2016

Coordinated Vulnerability Disclosure | June 1st, 2016

So why listen to someone who owned you?

• Find vulnerabilities in your systems

• Show people that you care about their information

• Involve community in keeping your organisation secure

• Have reporters disclose responsibly

• Make the world a better and safer place!

A win-win situation!

Coordinated Vulnerability Disclosure | June 1st, 2016

Looking to the present and future

• Adoption by international companies makes other organisations also see the advantages of CVD and its positive reputation effects

• Who is liable ? Organisation using the software, the reporter or the company that made the software?

• Several private companies help to further develop CVD and promote the principles

• Security vs safety, CVD in this respect has a lot of challenges, like how to disclose vulnerabilities in critical infrastructure, medical equipment and automotive

• We need more good international examples!

Coordinated Vulnerability Disclosure | June 1st, 2016

Coordinated Vulnerability Disclosure Manifesto

New signatories welcome!

Coordinated Vulnerability Disclosure | June 1st, 2016

Coordinated Vulnerability Disclosure | June 1st, 2016

Speakers