|
|
(5 intermediate revisions by 2 users not shown) |
Line 2: |
Line 2: |
| <div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Cheatsheets-header.jpg|link=]]</div> | | <div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Cheatsheets-header.jpg|link=]]</div> |
| | | |
− | {| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| + | The Cheat Sheet Series project has been moved to [https://github.com/OWASP/CheatSheetSeries GitHub]! |
− | | valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |
| |
− | Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''
| |
− | <br/>
| |
− | __TOC__{{TOC hidden}}
| |
| | | |
− | = DRAFT - WORK IN PROGRESS =
| + | Please visit [https://cheatsheetseries.owasp.org/cheatsheets/Vulnerability_Disclosure_Cheat_Sheet.html Vulnerability Disclosure Cheat Sheet] to see the latest version of the cheat sheet. |
− | = Introduction =
| |
− | | |
− | This cheatsheet is to help people report vulnerabilities they can find either randomly, either through security research.
| |
− | | |
− | = Prepare =
| |
− | - define the scope
| |
− | - check if company has
| |
− | * identified security contacts,
| |
− | typical security@, abuse@, noc@ (RFC2142)
| |
− | * a responsible disclosure web page
| |
− | * bug bounty program
| |
− | Example platforms : hackerone, bugcrowd, synack, bountyfactory.io...
| |
− | | |
− | = Identify =
| |
− |
| |
− | It is recommended to use responsible disclosure when dealing with vulnerability
| |
− | - alert the company, multiple times and persons if needed
| |
− | - alert trusted 3rd party like National CERT, Data Privacy regulator if apply. For data breach, some security researchers like Brian Krebs or Troy Hunt can be intermediate too.
| |
− | - full/public disclosure
| |
− | Depending on you context, each step may have more or less
| |
− | | |
− | = References =
| |
− | | |
− | https://www.cert.org/vulnerability-analysis/vul-disclosure.cfm + RFPolicy 2.0, Rain Forest Puppy, 2000 | |
− | + Debating Full Disclosure, Bruce Schneier, Jan2007
| |
− | + 7 Deadly Sins of Website Vulnerability Disclosure, Jeremiah Grossman, Jul 2007
| |
− | + Notification and disclosure Policy (update), Thierry Zoller, Sep 2008
| |
− | + Matt's Guide to Vendor Response, Talos, Dec 2009
| |
− | + The responsibility of public disclosure, Troy Hunt, May 2013 + Approaches to Vulnerability Disclosure, Brad Antoniewicz, Jun 2014
| |
− | + Reflections on Vulnerability Disclosure Case Studies & Ethical Dilemmas, ERNW, ACM 2015
| |
− | + Good Practice Guide on Vulnerability Disclosure. From challenges to recommendations, ENISA, Jan 2016
| |
− | https://en.wikipedia.org/wiki/Reverse_engineering#Legality FireEye takes security firm to court over vulnerability disclosure, sep 2015
| |
− | Google Discloses Windows Zero-Day Before Microsoft Can Issue Patch, nov 2016
| |
− | Bug bounties and extortion, feb 2017
| |
− | | |
− | = Authors and Primary Editors =
| |
− | | |
− | OWASP Montréal, v0.3, Feb 2017 https://www.owasp.org/index.php/Montréal
| |
− | | |
− | = Other Cheatsheets =
| |
− | | |
− | {{Cheatsheet_Navigation_Body}}
| |
− | [[Category:Cheatsheets]]
| |