This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Vulnerability Disclosure Cheat Sheet

From OWASP
Revision as of 17:35, 19 June 2017 by Jmanico (talk | contribs) (initial effort)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search
Cheatsheets-header.jpg

Last revision (mm/dd/yy): 06/19/2017

DRAFT - WORK IN PROGRESS

Introduction

This cheatsheet is to help people report vulnerabilities they can find either randomly, either through security research.

Prepare

- define the scope - check if company has

  • identified security contacts,

typical security@, abuse@, noc@ (RFC2142)

  • a responsible disclosure web page
  • bug bounty program

Example platforms : hackerone, bugcrowd, synack, bountyfactory.io...

Identify

It is recommended to use responsible disclosure when dealing with vulnerability - alert the company, multiple times and persons if needed - alert trusted 3rd party like National CERT, Data Privacy regulator if apply. For data breach, some security researchers like Brian Krebs or Troy Hunt can be intermediate too. - full/public disclosure Depending on you context, each step may have more or less

References

https://www.cert.org/vulnerability-analysis/vul-disclosure.cfm + RFPolicy 2.0, Rain Forest Puppy, 2000 + Debating Full Disclosure, Bruce Schneier, Jan2007 + 7 Deadly Sins of Website Vulnerability Disclosure, Jeremiah Grossman, Jul 2007 + Notification and disclosure Policy (update), Thierry Zoller, Sep 2008 + Matt's Guide to Vendor Response, Talos, Dec 2009 + The responsibility of public disclosure, Troy Hunt, May 2013 + Approaches to Vulnerability Disclosure, Brad Antoniewicz, Jun 2014 + Reflections on Vulnerability Disclosure Case Studies & Ethical Dilemmas, ERNW, ACM 2015 + Good Practice Guide on Vulnerability Disclosure. From challenges to recommendations, ENISA, Jan 2016 https://en.wikipedia.org/wiki/Reverse_engineering#Legality FireEye takes security firm to court over vulnerability disclosure, sep 2015 Google Discloses Windows Zero-Day Before Microsoft Can Issue Patch, nov 2016 Bug bounties and extortion, feb 2017

Authors and Primary Editors

OWASP Montréal, v0.3, Feb 2017 https://www.owasp.org/index.php/Montréal

Other Cheatsheets