[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” International Panel Discussion (2) by Allan Friedman
While hackers have known the importance of sharing research to improve security for years, the importance of coordinated vulnerability disclosure is increasingly recognized by governments around the world. The principals of disclosure an protecting security researchers are common across borders, but different countries have some key differences. This panel will present a global perspective that may in turn inform key public policy and company behavior. ENISA has published 'Coordinated Vulnerability Disclosure policies in the EU' in April 2022 . This report not only provides an objective introduction to the current state of coordinated vulnerability disclosure policies in the Member States of the European Union, but also introduces the operation of vulnerability disclosure in China, Japan and the USA. Based on these findings, the desirable and good practice elements of a coordinated vulnerability disclosure process are examined, followed by a discussion of the challenges and issues. This session aims to share the contents of this report and clarify the challenges and future direction of operations in Japan, as well as national security and vulnerability handling issues in the US, in a panel discussion with representatives from various jurisdictions. The panelists are involved in the practice of early warning partnership notified bodies in Japan, the authors of the above report in Europe and the contributors to the above report in the US. In Japan, the issues of system awareness, incentives, increase in the number of outstanding cases in handling and so-called triage in handling vulnerabilities will be introduced. From the United States, the Vulnerabilities Equities Process for National Security and the publication of a non-prosecution policy for vulnerability research will be introduced, as well as a historical background on the issue. The aim is that the panel discussion will enable the audience to understand the international situation surrounding CVD, as well as future trends, in particular the important role of vulnerability in cybersecurity and the challenges faced by society around it.
More Related Content
Similar to [cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” International Panel Discussion (2) by Allan Friedman
Similar to [cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” International Panel Discussion (2) by Allan Friedman (20)
More from CODE BLUE
More from CODE BLUE (20)
Recently uploaded
Recently uploaded (20)
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” International Panel Discussion (2) by Allan Friedman
- 1. TLP:WHITE January 3, 2023 C I S A | C Y B E R S E C U R I T Y A N D I N F R A S T R U C T U R E S E C U R I T Y A G E N C Y COORDINATED VULNERABILITY DISCLOSURE PROGRESS AND ADVANCES IN THE US 1 Allan Friedman, PhD
- 2. TLP:WHITE January 3, 2023 US policy has embraced CVD and the critical role of researchers, and seeks to lower barriers. Existing laws are interpreted to benefit researchers US government policy promotes private sector disclosure The “CVE Numbering Authority” program (CNA) helps organizations work with researchers around the world tl;dr 2
- 3. TLP:WHITE January 3, 2023 Computer Fraud and Abuse Act (1986) prohibits intentionally accessing a computer “without authorization” or in excess of authorization Recently, primarily used for insider abuse of data Digital Millenium Copyright Act (1998) Uses an “anti-circumvention” provision to prevent access to software (Section 1201) Existing laws that affect researchers 3
- 4. TLP:WHITE January 3, 2023 Good news! 4
- 5. TLP:WHITE January 3, 2023 Department of Justice guidance for prosecutors (2022) directs that good-faith security research should not be charged Good Faith: means accessing a computer solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability, where such activity is carried out in a manner designed to avoid any harm DMCA “exemptions” have continually expanded Explicit carve out for security research Medical devices Land vehicles (cars) Open Source Software Progress on protecting researchers 5
- 6. TLP:WHITE January 3, 2023 C I S A | C Y B E R S E C U R I T Y A N D I N F R A S T R U C T U R E S E C U R I T Y A G E N C Y CVE NUMBERING AUTHORITIES (CNA) 6
- 7. TLP:WHITE January 3, 2023 7 WHAT is a CNA? o CVE Program o CNA Role in Vulnerability Disclosure WHO can become a CNA? o Organization Type o Partners by Country o Structure HOW to become a CNA? o Requirements o Process WHY become a CNA? The CVE Program CNA Agenda
- 8. TLP:WHITE January 3, 2023 What is a CNA? – CVE Program 8 CVE Numbering Authorities (CNA): Organizations authorized to assign and populate CVE IDs to vulnerabilities affecting products within their distinct, agreed-upon scope Common Vulnerabilities and Exposures (CVE) Program: CVE-IDs are unique, common identifiers for publicly known cybersecurity vulnerabilities, assigned by CVE Numbering Authorities (CNAs). The CVE program is managed by MITRE, funded by CISA, and relies on the community (vendors, end users, researchers, and more) to discover and register vulnerabilities. The CVE Board, which drives the direction of the CVE Program, consists of industry, academic, and government representatives from around the world. CVE Working Groups develop the program’s policies (approved by the CVE Board) and are open to the community.
- 9. TLP:WHITE January 3, 2023 What is a CNA? – CNA Role 9 Vulnerability Discovery Vulnerability Coordination CVE-ID Assignment Vulnerability Disclosure A CNA becomes aware of a vulnerability Coordination with vulnerability stakeholders CVE ID assignment by a CNA Vulnerability and CVE Record released
- 10. TLP:WHITE January 3, 2023 Who is a CNA? – Organization Type 10 A CNA can be any organization from around the world from a variety of business sectors; there are minimal requirements, and there is no monetary fee or contract to sign. CNA: 224 | CNA-LR: 2 | Root: 3 | Top-Level Root: 2 Vendors and Projects o Currently 198 participants o E.g., Microsoft and Siemens National and Industry CERTs o Currently 11 participants o E.g., Spain and Japan Bug Bounty Programs o Currently 7 participants o E.g., Zero Day initiative and HackerOne Hosted Services o Currently 3 participants o E.g., Ping Identity Corporation and Carrier Global Corporation Vulnerability Researchers o Currently 43 participants o E.g., AppCheck Ltd. and Automotive Security Research Group (ASRG)
- 11. TLP:WHITE January 3, 2023 Who is a CNA? – Partners by Country 11 •Australia: 2 •Austria: 1 •Belgium: 1 •Canada: 5 •Chile: 1 •China: 10 •Colombia: 1 •Czech Republic: 1 •Denmark: 1 •Estonia: 1 •Finland: 3 •France: 3 •Germany: 10 •India: 4 •Ireland: 1 •Israel: 4 •Japan: 9 •Latvia: 1 •Netherlands: 5 •New Zealand: 1 •Norway: 1 •Romania: 1 •Russia: 2 •Singapore: 1 •Slovak Republic: 1 •South Korea: 4 •Spain: 4 •Sweden: 2 •Switzerland: 6 •Taiwan: 7 •Turkey: 3 •UK: 6 •USA: 122 •Vietnam: 1
- 12. TLP:WHITE January 3, 2023 12 Who is a CNA? – Structure
- 13. TLP:WHITE January 3, 2023 Requirements 1. Have a public vulnerability disclosure policy. o https://vuls.cert.org/confluence/display/CVD 2. Have a public source for new vulnerability disclosures. 3. Agree to the CVE Program Terms of Use. How to Become a CNA? – Requirements 13
- 14. TLP:WHITE January 3, 2023 How to Become a CNA? – Process 14 Process
- 15. TLP:WHITE January 3, 2023 Why Become a CNA? 15 CNA Control - CVE publication Security - Patch development Stakeholders Confidence - Mature vulnerability practices Communication - Prevention for customers Community Responsibility - Strengthens cyber ecosystem Participation - Vulnerability management
- 16. TLP:WHITE January 3, 2023 Misconceptions 16 1. Reporting too many vulnerabilities is bad. 2. Becoming a CNA will require a considerable overhead.