An Invitation to Hack: Wiley Rein and HackerOne Webinar on Vulnerability Disclosure Programs
2 likes1,032 views
The document outlines the importance and challenges of vulnerability disclosure programs (VDPs), which allow the public to report technical vulnerabilities in companies' products and systems, and provides a legal framework to encourage ethical hacking. It highlights the emerging trend of companies adopting VDPs to enhance cybersecurity while managing risks associated with public disclosure of vulnerabilities. Key considerations for setting up a VDP include scoping, resource allocation, and understanding legal obligations related to reported vulnerabilities.
![Companies Must Decide Whether To Adopt A
Program
© 2017 Wiley Rein LLP
Proprietary & Confidential 21
• Providing consent to the public to hack into a company’s network or product
involves inherent risk.
• The NTIA sample policy would allow would-be hackers to engage in "reverse
engineering or circumventing protective measures," and provides broad immunity
to any hacker who "submit[s] vulnerability reports through our Vulnerability
Reporting Form."
• Reverse engineering and circumventing protective measures are intrusive, and
many companies may not want to authorize activity beyond the permissions
afforded under recent interpretations of copyright law and
anti-circumvention policies.](https://image.slidesharecdn.com/invitationtohack-wileyreinandhackeronewebinar-170717173628/85/An-Invitation-to-Hack-Wiley-Rein-and-HackerOne-Webinar-on-Vulnerability-Disclosure-Programs-21-320.jpg)
An Invitation to Hack: Wiley Rein and HackerOne Webinar on Vulnerability Disclosure Programs
- 2. Agenda © 2017 Wiley Rein LLP Proprietary & Confidential 2 • Legal Framework for Vulnerability Disclosures • Emerging Trend Focused on Vulnerability Disclosure Programs • Benefits and Risks • Key Considerations for Creating a Program • Conclusions and Takeaways • Questions and Answers
- 4. What is a Vulnerability Disclosure Program? © 2017 Wiley Rein LLP Proprietary & Confidential 4 • Vulnerability disclosure programs are an entity’s policies and procedures for allowing the public to communicate a technical vulnerability to the entity. • Vulnerabilities might be in a web site, internal network, mobile app, API, product, etc. • Members of the public are often given credit or financial rewards for alerting an entity about an unknown vulnerability. • Vulnerabilities may be discovered by individuals with a wide variety of motives, including white hat/black hat hackers, competitors, and security researchers.
- 5. Legal Uncertainty © 2017 Wiley Rein LLP Proprietary & Confidential 5 • Ethical security researchers operate in a grey area. • Researchers and other so-called white hat hackers run the risk of violating various laws, most notably the Computer Fraud and Abuse Act, 18 U.S.C. 1030, which creates civil and criminal penalties for unauthorized access of any protected computer. • Copyright protections, including the anti-circumvention provisions of the Digital Millennium Copyright Act, 17 U.S.C. 1201, also limit the ability to hack devices.
- 6. Providing Consent to Hackers © 2017 Wiley Rein LLP Proprietary & Confidential 6 • Vulnerability disclosure programs seek to clarify the rules of engagement by providing limited authorization for "good faith" testing of a company's information system or products. • Depending on the nature of the program and the authorization given, they can allow the public to engage in limited hacking against a company. • As long as researchers stay within the bounds of a program's grant of consent, researchers can in theory feel confident that their actions do not violate federal laws like the CFAA, thereby encouraging reporting.
- 8. Vulnerability Disclosure Programs Are Becoming More Accepted © 2017 Wiley Rein LLP Proprietary & Confidential 8 • Several years ago, vulnerability disclosure programs were novel and eyed with suspicion. • Given sensitivities and potential liabilities, companies are wary of public disclosure and hackers seeking to exploit research. When a hacker presented a flaw to a company, the company was more likely to be concerned about taking legal action against the hacker than making a public announcement or offering a reward. • That is changing. Over the last several years, many companies in the private sector, most notably leading technology companies, like Microsoft, Google, and Facebook, began to implement or expand disclosure programs.
- 9. Numerous Federal Efforts Explore Or Encourage Vulnerability Disclosure Programs © 2017 Wiley Rein LLP Proprietary & Confidential 9 • In January 2017, the National Telecommunications and Information Administration (NTIA) published preliminary guidance on vulnerability disclosure programs, including a template, Coordinated Vulnerability Disclosures, that broadly promotes disclosure programs. • FTC’s “Start with Security” Guide on cybersecurity also recommends having a vulnerability disclosure program. • Cybersecurity frameworks, like ISO 29147 and 30111, often recommend vulnerability disclosure programs, signaling that they are becoming an expected part of a mature cybersecurity program. • The National Institute of Standards and Technology (NIST) is considering adding guidance on vulnerability disclosure programs to Version 1.1 of the widely used Cybersecurity Framework.
- 11. Disclosure Programs May Provide Significant Benefits . . . © 2017 Wiley Rein LLP Proprietary & Confidential 11 • Vulnerability disclosure programs provide an opportunity for companies to improve cybersecurity by tapping into the collective skills and expertise of ethical hackers and security researchers — skills that may be difficult or impossible to replicate in-house. • Properly run disclosure programs allow companies the ability to manage disclosures in a controlled manner and limit damage from premature or imprudent disclosures. • Increased communication regarding vulnerabilities may improve cybersecurity of vendors and supply chain.
- 12. . . . But There are Reasons for Caution © 2017 Wiley Rein LLP Proprietary & Confidential 12 • Properly managing vulnerabilities presents challenges. Public disclosure — particularly premature disclosure — can: • scare consumers; • inform competitors of weakness; • inspire government oversight; • result in litigation; and • facilitate attacks by hackers exploiting the vulnerability. • The research community is diverse and has varied motives, with some pushing the bounds of ethical and legal behavior.
- 18. 18
- 19. Setting up a Vulnerability Disclosure Program 19Proprietary & Confidential © 2017 Wiley Rein LLP
- 20. Overview of Key Considerations © 2017 Wiley Rein LLP Proprietary & Confidential 20 • First, companies must decide whether to adopt a program. • Second, companies must determine how to scope a program appropriately. • Third, companies need to evaluate whether they have the resources to properly staff a program. • Fourth, a company should consider how it will resolve reports and whether it will document that resolution, with an eye toward litigation or oversight. • Lastly, a company needs to understand obligations it might have to notify business partners, regulators, and the public.
- 21. Companies Must Decide Whether To Adopt A Program © 2017 Wiley Rein LLP Proprietary & Confidential 21 • Providing consent to the public to hack into a company’s network or product involves inherent risk. • The NTIA sample policy would allow would-be hackers to engage in "reverse engineering or circumventing protective measures," and provides broad immunity to any hacker who "submit[s] vulnerability reports through our Vulnerability Reporting Form." • Reverse engineering and circumventing protective measures are intrusive, and many companies may not want to authorize activity beyond the permissions afforded under recent interpretations of copyright law and anti-circumvention policies.
- 22. Companies Must Determine How To Scope A Program Appropriately © 2017 Wiley Rein LLP Proprietary & Confidential 22 • Companies can ease into a program by applying it only to some products, or by limiting it to certain services. • They can include or exclude their own websites, portals, or applications. • There are myriad other scoping questions, which really boil down to legal policy questions, including whether to waive the right to sue for intrusions or hacking, and what restrictions to impose on researchers to benefit from the company's waiver. • Companies may want to create and communicate clear expectations to the hacking community about recognition, financial rewards, and response time.
- 23. Companies Need To Evaluate Whether They Have The Resources To Properly Staff A Program © 2017 Wiley Rein LLP Proprietary & Confidential 23 • Quickly evaluating and fixing vulnerabilities is not easy. • Many bug bounty programs provide commitments to make public updates on fixes and to publically recognize researchers who identify bugs. Those commitments may not be feasible, especially for companies releasing new products in a competitive market.
- 24. Companies Should Consider How They Will Resolve Reports © 2017 Wiley Rein LLP Proprietary & Confidential 24 • A vulnerability disclosure program will invite negative reports. The company will have to be ready to handle such information, both logistically and substantively. • For example, if a company receives a report and does not find it credible or high risk, and decides not to remediate, subsequent government inquiries or litigation might seek internal deliberations about the report. • Any company running a vulnerability disclosure program should consider how it will document resolution of reported bugs, with an eye toward litigation or oversight, particularly if they have government customers.
- 25. Companies Need To Understand Notification Obligations © 2017 Wiley Rein LLP Proprietary & Confidential 25 • Receipt of information about alleged vulnerabilities could trigger notification obligations to consumers, government customers, regulators, regulators, or in SEC filings. • How will a company handle vulnerabilities that relate to products manufactured or designed by others? • For example, how will a company respond to a vulnerability that affects a commonly available or commercially sourced network component? Will the company notify the vendor?
- 27. Conclusion © 2017 Wiley Rein LLP Proprietary & Confidential 27 • While the opportunity to improve cybersecurity is promising, in offering a program, a company is effectively consenting to being hacked. • A poorly implemented program may result in unnecessary publicity, litigation, or government oversight. • Companies that lack a clear vulnerability disclosure policy are at increased risk should a security researcher find a vulnerability, which may be disclosed in a chaotic manner. • If a company decides to adopt a program, it needs to know what options are available and craft a program that is tailored to its situation.