Page 20 - FCW, Nov/Dec 2016
P. 20

Cybersecurity
In indictments filed with district courts in three states, the U.S. government charged that British hacker Lauri Love and his co-conspirators exploited vulnerabilities in Adobe’s ColdFusion web application to steal information from databases at several federal agencies, including the Missile Defense Agency and NASA. The high-profile case illustrated how damaging it can be to leave vulnerabilities unfixed.
to executing attacks is not acceptable behavior.
Stamos concluded that Facebook should have moved to fix the problems faster and perhaps been more explicit about what it considers to be ethical behavior and what it doesn’t.
Many companies that run bug bounty programs provide lists of dos and don’ts. GitHub, for instance, asks researchers not to access its users’ accounts or data, not to launch denial-of-service attacks and not to publicly disclose bugs until they are fixed, among other things.
A glance through the community- curated listings of bug bounties and disclosure policies at Bugsheet.com reveals some commonalities among companies when it comes to disclosure policies (i.e., don’t publicly disclose the
problem until it has been fixed), but the level of detail provided in the policies varies widely. For example, Uber’s bug bounty policy explicitly states that pay- out amounts are not pinned to the vul- nerability itself but to the severity of the potential impact.
“This means, for example, that we will issue a relatively high reward for a vulnerability that has the potential to leak sensitive user data, but that we will issue little to no reward for a vulnerabil- ity that allows an attacker to deface a microsite,” the company’s policy docu- ment states. “When we have our reward meetings, we always ask one question: If a malicious attacker abuses this, how bad off are we? We assume the worst and pay out the bug accordingly.”
Although every organization oper-
ates in its own way, the International Organization for Standardization and the International Electrotechnical Com- mission offer a comprehensive policy document (with input from Moussouris) that serves as a valuable reference point for vulnerability disclosure processes and policies. The document is num- bered ISO/IEC 29147.
‘Transparency has to be a two-way street’
David Berteau, former assistant secre- tary of Defense for logistics and materiel readiness and now president and CEO of the Professional Services Council, said the Pentagon’s bug program is an “easily supportable concept” and “a laudable idea.”
20 November/December 2016 FCW.COM
“Both the private-sector companies





















































































   18   19   20   21   22