Difference between revisions of "Vulnerability Disclosure Cheat Sheet"

From OWASP
Jump to: navigation, search
(initial effort)
 
(Migration to GitHub)
(4 intermediate revisions by one other user not shown)
Line 2: Line 2:
 
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Cheatsheets-header.jpg|link=]]</div>
 
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Cheatsheets-header.jpg|link=]]</div>
  
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
+
The Cheat Sheet Series project has been moved to [https://github.com/OWASP/CheatSheetSeries GitHub]!
| valign="top"  style="border-right: 1px dotted gray;padding-right:25px;" |
 
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''
 
<br/>
 
__TOC__{{TOC hidden}}
 
  
= DRAFT - WORK IN PROGRESS =
+
Please visit [https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Vulnerability_Disclosure_Cheat_Sheet.md Vulnerability Disclosure Cheat Sheet] to see the latest version of the cheat sheet.
= Introduction =
 
 
 
This cheatsheet is to help people report vulnerabilities they can find either randomly, either through security research.
 
 
 
= Prepare =
 
- define the scope
 
- check if company has
 
* identified security contacts,
 
typical security@, abuse@, noc@ (RFC2142)
 
* a responsible disclosure web page
 
* bug bounty program
 
Example platforms : hackerone, bugcrowd, synack, bountyfactory.io...
 
 
 
= Identify =
 
       
 
It is recommended to use responsible disclosure when dealing with vulnerability
 
- alert the company, multiple times and persons if needed
 
- alert trusted 3rd party like National CERT, Data Privacy regulator if apply. For data breach, some security researchers like Brian Krebs or Troy Hunt can be intermediate too.
 
- full/public disclosure
 
Depending on you context, each step may have more or less
 
 
 
= References =
 
 
 
https://www.cert.org/vulnerability-analysis/vul-disclosure.cfm + RFPolicy 2.0, Rain Forest Puppy, 2000
 
+ Debating Full Disclosure, Bruce Schneier, Jan2007
 
+ 7 Deadly Sins of Website Vulnerability Disclosure, Jeremiah Grossman, Jul 2007
 
+ Notification and disclosure Policy (update), Thierry Zoller, Sep 2008
 
+ Matt's Guide to Vendor Response, Talos, Dec 2009
 
+ The responsibility of public disclosure, Troy Hunt, May 2013 + Approaches to Vulnerability Disclosure, Brad Antoniewicz, Jun 2014
 
+ Reflections on Vulnerability Disclosure Case Studies & Ethical Dilemmas, ERNW, ACM 2015
 
+ Good Practice Guide on Vulnerability Disclosure. From challenges to recommendations, ENISA, Jan 2016
 
https://en.wikipedia.org/wiki/Reverse_engineering#Legality FireEye takes security firm to court over vulnerability disclosure, sep 2015
 
Google Discloses Windows Zero-Day Before Microsoft Can Issue Patch, nov 2016
 
Bug bounties and extortion, feb 2017
 
 
 
= Authors and Primary Editors  =
 
 
 
OWASP Montréal, v0.3, Feb 2017  https://www.owasp.org/index.php/Montréal
 
 
 
= Other Cheatsheets =
 
 
 
{{Cheatsheet_Navigation_Body}}
 
[[Category:Cheatsheets]]
 

Revision as of 10:20, 14 February 2019

Cheatsheets-header.jpg

The Cheat Sheet Series project has been moved to GitHub!

Please visit Vulnerability Disclosure Cheat Sheet to see the latest version of the cheat sheet.