1

Vulnerability Disclosure

Stephen PattisonBoard Member IOTSF

How Not To Manage It…

15/06/2018 IoTSF Conference London Dec 2016 2

“ "We are aware of the report on Twitter…" an Owlet spokeswoman told us. ”

Making The Best Of It…

15/06/2018 IoTSF Conference London Dec 2016 3

“…triggered Philips to release a firmware patch for owners of its "Hue" connected bulbs. ”

IoT Security FoundationVulnerability Disclosure Guidelines

Vulnerability Disclosure Process Guidelines

Web SiteSample Web Page TextMeans of ContactCommunicating with the ResearcherResolving ConflictTiming of ResponseSecurity AdvisoryCredit where Credit is DueMoneyDiscouraging Damaging Actions

4

Coordinated Vulnerability Disclosure

all IoT product and service suppliers to have a point of contact for security researchers.

a researcher works closely with a company to fix an issue;

the issue is then made public at a mutually agreed time. This minimises the risk and harm to users.

15/06/2018 5

A Quick Win for Companies Easy to setup - in its most basic sense it is literally an email address:

security@[company] and in a slightly more advanced state a webpage ([website]/ security).

- it allows companies to easily be contactable by people who want to let them know about security problems

15/06/2018 6

Key Elements The process should cover both: (i) the report ing of newly discovered security

vulnerabilities and (ii) the public announcement of security

vulnerabilities (usually following the release of a software patch, hardware fix, or other remediation).

15/06/2018 7

Key Elements

Essential that security researchers can bechannelled to the right point of contact so it is imperative that there is an easy-to-find web page

which contains all the necessary information. (Some companies also choose to specify what they consider to be

unacceptable security research (such as that which would lead to thedisclosure of customer data)).

15/06/2018 8

Key Elements The text on your security contact web page should state in what

time frame the security researcher can expect a response; this will typically be a few days, perhaps up to a week.

It is important to communicate with the researcher and explain how you justify your estimated timing.

If the researcher feels that you are not taking their report seriously enough, it may cause a breakdown of the process and premature public disclosure of the vulnerability.

15/06/2018 9

Key Elements A company should not encourage damaging activity. Some security pages explicitly exclude certain types of research – for

example Denial of Service attacks on a site or the hacking into systems in order to expose customer data.

Standard practice as a gesture of goodwill and recognition of security researchers’ efforts to name security researchers who have cooperated in a vulnerability disclosure

15/06/2018 10

Resolving Conflict

Leave the process only after exhausting reasonable efforts to resolve the disagreement;

Leave the process only after providing notice to the other party; Resume the process once the disagreement is resolved.

15/06/2018 11

Some Friends and the Future We do NOT operate a service for disclosures (unlike the GSMA), we

want companies to do this themselves. We are aligned with the GSMA and also with the ISO standard. Emerging consensus that CVD is something that all IoT companies

should implement. We may continue work in this space as best practice evolves around

things like bug bounties and issues like extortion/ blackmail. www.iotsecurityfoundation.org

15/06/2018 12