Difference between revisions of "Vulnerability Disclosure Cheat Sheet"

From OWASP
Jump to: navigation, search
(initial effort)
 
(Internal full draft to wiki)
Line 3: Line 3:
  
 
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
 
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top"  style="border-right: 1px dotted gray;padding-right:25px;" |
+
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |
 
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''  
 
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''  
<br/>
+
<br />
 
  __TOC__{{TOC hidden}}
 
  __TOC__{{TOC hidden}}
  
Line 13: Line 13:
 
This cheatsheet is to help people report vulnerabilities they can find either randomly, either through security research.
 
This cheatsheet is to help people report vulnerabilities they can find either randomly, either through security research.
  
= Prepare =  
+
'''Disclaimer''': No warranty - consult lawyer!
- define the scope
+
 
- check if company has
+
= Prepare =
* identified security contacts,
+
 
typical security@, abuse@, noc@ (RFC2142)
+
* define the scope
* a responsible disclosure web page
+
* check if company has
* bug bounty program
+
** identified security contacts: typical security@, abuse@, noc@ ([https://www.ietf.org/rfc/rfc2142.txt RFC2142])
Example platforms : hackerone, bugcrowd, synack, bountyfactory.io...
+
** a responsible disclosure web page
 +
** bug bounty program. Example platforms : hackerone, bugcrowd, synack, bountyfactory.io...
  
 
= Identify =  
 
= Identify =  
       
+
 
It is recommended to use responsible disclosure when dealing with vulnerability
+
Remember if they are rules defined by a bounty program or laws applied to your country.
- alert the company, multiple times and persons if needed
+
Document every step allowing to identify vulnerability, and if acceptable in your context, how to exploit it.
- alert trusted 3rd party like National CERT, Data Privacy regulator if apply. For data breach, some security researchers like Brian Krebs or Troy Hunt can be intermediate too.
+
 
- full/public disclosure
+
= Report =
Depending on you context, each step may have more or less
+
 
 +
It is recommended to use responsible disclosure when dealing with vulnerabilities
 +
* alert the company, multiple times and persons if needed.
 +
* request [https://github.com/RedHatProductSecurity/CVE-HOWTO CVE Identification].
 +
* alert trusted 3rd party like National CERT, Data Privacy regulator if apply. Eventually, security researchers like [https://krebsonsecurity.com/ Brian Krebs] or [https://www.troyhunt.com/ Troy Hunt] can be intermediate too or provide support.
 +
* full/public disclosure
 +
Depending on your context, each step may have more or less important time interval. Be flexible. '''''Encourage trust, transparency and openness'''''. Timeline of full disclosure is always a debate especially if there is active exploitation. Be considerate of the work necessary to do the fix while balancing with public interest.
 +
 
 +
Examples of public disclosure timeline and methodology
 +
 
 +
* RFPolicy, Rain Forest Puppy, 2000: [https://dl.packetstormsecurity.net/papers/general/rfpolicy-2.0.txt 5d] for initial contact
 +
* Google Project Zero:
 +
** [https://googleprojectzero.blogspot.ca/2015/02/feedback-and-data-driven-updates-to.html 90d] after initial notification and 14d grace period
 +
** 7d after if actively exploited [[http://www.securityweek.com/google-discloses-windows-zero-day-vulnerability Microsoft, 2016]]
 +
* US CERT/CC: [https://www.cert.org/vulnerability-analysis/vul-disclosure.cfm 45d] after initial report
 +
* Internet Engineering Task Force (IETF): [https://tools.ietf.org/html/draft-christey-wysopal-vuln-disclosure-00 Responsible Vulnerability Disclosure Process]. Insisted on joined work with no unique timeline
 +
* Microsoft: [https://technet.microsoft.com/en-us/security/dn467923 Coordinated Vulnerability Disclosure] (CVD)
 +
* ISO/IEC [http://www.iso.org/iso/catalogue_detail.htm?csnumber=45170 29147:2014]: Vulnerability disclosure
 +
 
 +
Report should include all details necessary to understand vulnerability and reproduce it (exploit code for example). If you identify limiting factors, include them (Non-Admin user, use of Ms EMET, security HTTP headers...).
 +
 
 +
If possible, use encryption like PGP/GPG to encrypt your report. You can use [https://encrypt.to/ Encrypt.to] to do from a web browser if recipient has a public key.
 +
If you want to remain anonymous, it's probably better to use pseudonym and one-time use email on Tor network or similar.
 +
Intermediate party might also be available like [https://zerodisclo.com/ ZeroDisclo] but ensure target destination is relevant (In 2017, mostly FR & EU).
 +
 
 +
= Aftermath =
 +
If you think your lessons learned would be useful to community, share it (anonymously or not).
 +
 
 +
= Legal =
 +
 
 +
Most western countries have an exception for interoperability and security research but...
 +
* US: Sec. 103(f) of the DMCA (17 U.S.C. § 1201 (f)) but EULA and contract override law.
 +
* FR: [https://fr.wikipedia.org/wiki/Rétro-ingénierie#L.C3.A9gislation Art.] [https://www.legifrance.gouv.fr/affichTexte.do?cidTexte=JORFTEXT000000266350&categorieLien=id L. 335-3-1 - article 22 du DADVSI] (2006), [http://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX%3A32009L0024 EU Directive 2009/24]
 +
* CA: Ambiguous... Bill [http://www.parl.gc.ca/HousePublications/Publication.aspx?DocId=4580265&Language=e&Mode=1 C-32] (2010), Bill [http://www.parl.gc.ca/HousePublications/Publication.aspx?DocId=5465759 C-11] (2011). Criminal code provisions (Bill [http://laws-lois.justice.gc.ca/eng/acts/C-46/FullText.html C-46]) for testing without permission: 430(1.1) (“Mischief in relation to computer data”), 342.1 (“Unauthorized use of a computer”), 342.2 (“Possession of device to obtain unauthorized use of computer system or to commit mischief”).
 +
 
 +
= Definitions =
 +
 
 +
* Full disclosure
 +
« Full disclosure is the practice of publishing analysis of software vulnerabilities as early as possible, making the data accessible to everyone without restriction. The primary purpose of widely disseminating information about vulnerabilities is so that potential victims are as knowledgeable as those who attack them. », [https://en.wikipedia.org/wiki/Full_disclosure_(computer_security) Wikipedia]
 +
 
 +
* Responsible disclosure
 +
« The issue is reported privately to the vendor *and no one else* until the vendor issues a patch. », [https://blogs.technet.microsoft.com/ecostrat/2010/07/22/coordinated-vulnerability-disclosure-bringing-balance-to-the-force/ Microsoft], 2010
 +
 
 +
* Coordinated disclosure
 +
« Coordinate public release happens, ideally, when the vendor releases the update. In the case of publicly verifiable active attacks, details may be released prior to an update being released, with emphasis on giving details to protection providers. », [https://blogs.technet.microsoft.com/ecostrat/2010/07/22/coordinated-vulnerability-disclosure-bringing-balance-to-the-force/ Microsoft], 2010
 +
 
 +
* Private disclosure
 +
« The vulnerability is released to a small group of people (not the vendor) or kept private »
 +
 
 +
Other definitions : [https://vuls.cert.org/confluence/pages/viewpage.action?pageId=4718642 CERT/CC]
  
 
= References =
 
= References =
  
https://www.cert.org/vulnerability-analysis/vul-disclosure.cfm + RFPolicy 2.0, Rain Forest Puppy, 2000
+
* https://www.cert.org/vulnerability-analysis/vul-disclosure.cfm
+ Debating Full Disclosure, Bruce Schneier, Jan2007
+
* [https://www.schneier.com/blog/archives/2007/01/debating_full_d.html Debating Full Disclosure], Bruce Schneier, Jan2007
+ 7 Deadly Sins of Website Vulnerability Disclosure, Jeremiah Grossman, Jul 2007
+
* [http://blog.jeremiahgrossman.com/2007/07/7-deadly-sins-of-website-vulnerability.html 7 Deadly Sins of Website Vulnerability Disclosure], Jeremiah Grossman, Jul 2007
+ Notification and disclosure Policy (update), Thierry Zoller, Sep 2008
+
* [http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html Notification and disclosure Policy] (update), Thierry Zoller, Sep 2008
+ Matt's Guide to Vendor Response, Talos, Dec 2009
+
* [http://blog.talosintelligence.com/2009/12/matts-guide-to-vendor-response.html Matt's Guide to Vendor Response], Talos, Dec 2009
+ The responsibility of public disclosure, Troy Hunt, May 2013 + Approaches to Vulnerability Disclosure, Brad Antoniewicz, Jun 2014
+
* [https://www.troyhunt.com/the-responsibility-of-public-disclosure/ The responsibility of public disclosure], Troy Hunt, May 2013
+ Reflections on Vulnerability Disclosure Case Studies & Ethical Dilemmas, ERNW, ACM 2015
+
* [http://blog.opensecurityresearch.com/2014/06/approaches-to-vulnerability-disclosure.html Approaches to Vulnerability Disclosure], Brad Antoniewicz, Jun 2014
+ Good Practice Guide on Vulnerability Disclosure. From challenges to recommendations, ENISA, Jan 2016
+
* [https://www.ernw.de/download/ACM_SigComm_ENSR_Rey_Vulnerability_Disclosure.pdf Reflections on Vulnerability Disclosure Case Studies & Ethical Dilemmas], ERNW, ACM 2015
https://en.wikipedia.org/wiki/Reverse_engineering#Legality FireEye takes security firm to court over vulnerability disclosure, sep 2015
+
* [https://www.enisa.europa.eu/publications/vulnerability-disclosure Good Practice Guide on Vulnerability Disclosure. From challenges to recommendations], ENISA, Jan 2016
Google Discloses Windows Zero-Day Before Microsoft Can Issue Patch, nov 2016
+
 
Bug bounties and extortion, feb 2017
+
* https://en.wikipedia.org/wiki/Reverse_engineering#Legality
 +
* [http://www.pcworld.com/article/2983144/fireeye-takes-security-firm-to-court-over-vulnerability-disclosure.html FireEye takes security firm to court over vulnerability disclosure], sep 2015
 +
* [http://www.bleepingcomputer.com/news/security/google-discloses-windows-zero-day-before-microsoft-can-issue-patch/ Google Discloses Windows Zero-Day Before Microsoft Can Issue Patch], nov 2016
 +
* [https://scotthelme.co.uk/bug-bounties-and-extortion/ Bug bounties and extortion], feb 2017
 +
 
 +
= Countries specifics =
 +
 
 +
* US
 +
** https://www.eff.org/issues/coders/reverse-engineering-faq
 +
** https://www.ftc.gov/news-events/blogs/techftc/2016/10/dmca-security-research-exemption-consumer-devices
 +
 
 +
* CA
 +
** [http://www.cbc.ca/news/technology/canadian-government-hackers-1.3866336 'Messenger always gets shot': Hackers say the Canadian government doesn't want their help], CBC, Nov 2016
 +
** [http://www.barrysookman.com/2010/06/03/some-thoughts-on-bill-c-32-an-act-to-modernize-canada’s-copyright-laws/ Some thoughts on Bill-C-32: An Act to Modernize Canada’s copyright laws], Barry Sookman, Jun 2010
 +
 
 +
* UK
 +
** [https://www.theregister.co.uk/2017/05/31/surveillance_law_compulsion/ UK surveillance law raises concerns security researchers could be 'deputised' by the state], TheRegister, May 217
 +
 
 +
* FR
 +
** ANSSI: https://www.ssi.gouv.fr/en-cas-dincident/vous-souhaitez-declarer-une-faille-de-securite-ou-une-vulnerabilite/
 +
 
 +
* NL
 +
** NCSC: https://www.ncsc.nl/english/security
 +
 
 +
''Feel free to provide other countries!''
  
 
= Authors and Primary Editors  =
 
= Authors and Primary Editors  =
  
OWASP Montréal, v0.3, Feb 2017 https://www.owasp.org/index.php/Montréal
+
OWASP Montréal, v1.0, Jul 2017. https://www.owasp.org/index.php/Montréal
 +
 
 +
Thanks to OWASP Montréal chapter, @el_d33 and gosecure.ca team for review!
  
 
= Other Cheatsheets =
 
= Other Cheatsheets =
Line 52: Line 128:
 
{{Cheatsheet_Navigation_Body}}
 
{{Cheatsheet_Navigation_Body}}
 
[[Category:Cheatsheets]]
 
[[Category:Cheatsheets]]
 +
|}

Revision as of 08:42, 6 August 2017

Cheatsheets-header.jpg

Last revision (mm/dd/yy): 08/6/2017

DRAFT - WORK IN PROGRESS

Introduction

This cheatsheet is to help people report vulnerabilities they can find either randomly, either through security research.

Disclaimer: No warranty - consult lawyer!

Prepare

  • define the scope
  • check if company has
    • identified security contacts: typical security@, abuse@, noc@ (RFC2142)
    • a responsible disclosure web page
    • bug bounty program. Example platforms : hackerone, bugcrowd, synack, bountyfactory.io...

Identify

Remember if they are rules defined by a bounty program or laws applied to your country. Document every step allowing to identify vulnerability, and if acceptable in your context, how to exploit it.

Report

It is recommended to use responsible disclosure when dealing with vulnerabilities

  • alert the company, multiple times and persons if needed.
  • request CVE Identification.
  • alert trusted 3rd party like National CERT, Data Privacy regulator if apply. Eventually, security researchers like Brian Krebs or Troy Hunt can be intermediate too or provide support.
  • full/public disclosure

Depending on your context, each step may have more or less important time interval. Be flexible. Encourage trust, transparency and openness. Timeline of full disclosure is always a debate especially if there is active exploitation. Be considerate of the work necessary to do the fix while balancing with public interest.

Examples of public disclosure timeline and methodology

Report should include all details necessary to understand vulnerability and reproduce it (exploit code for example). If you identify limiting factors, include them (Non-Admin user, use of Ms EMET, security HTTP headers...).

If possible, use encryption like PGP/GPG to encrypt your report. You can use Encrypt.to to do from a web browser if recipient has a public key. If you want to remain anonymous, it's probably better to use pseudonym and one-time use email on Tor network or similar. Intermediate party might also be available like ZeroDisclo but ensure target destination is relevant (In 2017, mostly FR & EU).

Aftermath

If you think your lessons learned would be useful to community, share it (anonymously or not).

Legal

Most western countries have an exception for interoperability and security research but...

  • US: Sec. 103(f) of the DMCA (17 U.S.C. § 1201 (f)) but EULA and contract override law.
  • FR: Art. L. 335-3-1 - article 22 du DADVSI (2006), EU Directive 2009/24
  • CA: Ambiguous... Bill C-32 (2010), Bill C-11 (2011). Criminal code provisions (Bill C-46) for testing without permission: 430(1.1) (“Mischief in relation to computer data”), 342.1 (“Unauthorized use of a computer”), 342.2 (“Possession of device to obtain unauthorized use of computer system or to commit mischief”).

Definitions

  • Full disclosure

« Full disclosure is the practice of publishing analysis of software vulnerabilities as early as possible, making the data accessible to everyone without restriction. The primary purpose of widely disseminating information about vulnerabilities is so that potential victims are as knowledgeable as those who attack them. », Wikipedia

  • Responsible disclosure

« The issue is reported privately to the vendor *and no one else* until the vendor issues a patch. », Microsoft, 2010

  • Coordinated disclosure

« Coordinate public release happens, ideally, when the vendor releases the update. In the case of publicly verifiable active attacks, details may be released prior to an update being released, with emphasis on giving details to protection providers. », Microsoft, 2010

  • Private disclosure

« The vulnerability is released to a small group of people (not the vendor) or kept private »

Other definitions : CERT/CC

References

Countries specifics

Feel free to provide other countries!

Authors and Primary Editors

OWASP Montréal, v1.0, Jul 2017. https://www.owasp.org/index.php/Montréal

Thanks to OWASP Montréal chapter, @el_d33 and gosecure.ca team for review!

Other Cheatsheets