 So I read good afternoon Welcome to policy at DEF CON this talk is a panel titled all your all of your volums are belong to terms and conditions And it's chaired by David Rogers Sir, yes Closer to the mic The title is all your volums are belong to terms and conditions and it's chaired by David Rogers a few announcements This talk is being hosted on the record, I believe Cell phones we ask that you check your cell phones or silent as a courtesy if the speaker if we take questions at the end please use the mic so you can hear you and Very close to the mic As a reminder photo policy prohibits taking pictures without the permission of everyone in the frame and With that let's get started. Please welcome our panel. We're gonna live down to your expectations of me So welcome everybody and thank you for coming. My name is David Rogers. I Guess why am I here on doing CVD? So I created the CVD program at the mobile industry association GSMA and I had to fight hard for it So I know the pains and tribulations of it And I'm going to be moderating this panel Well, we talk everything from vulnerabilities through to legal through to how we can help hackers and What's going on around the world? So in flow order I'd like our speakers to just introduce themselves and just tell us a little bit about themselves. So Hi, everyone. I hope you're having a good deaf con So I'm Katie noble Katie Trimble noble for some people because you might know me in my previous persona So I am one of the four bug bounty katies. There's me. There's me There's Katie Nichols and there's Katie Miseris. So I'm half of the four bug bounty katies in the world Yeah, I know it's great So I my background I worked for the US government for about 15 years previously at SZA I Did coordinate of vulnerability disclosure where I ran the vulnerabilities equities process the MITRE CVE program Which I'm still a board member of the NVD program the Carnegie Mellon cert CC program and the ICS cert vulnerability handling program And our claim to fame was that we coordinated and disclosed over 20,000 cybersecurity vulnerabilities in a two-year time period and I currently work for a Fortune 50 tech company where I am the director of product security incident response and bug bounty and we won't name that company because I'm not really here Hi everybody, my name is Harley Geiger and I am a cyber security lawyer I'm currently with a law firm called venable. I too am not Representing venable here and nothing that you hear is legal advice. You do need a lawyer, but I am not your lawyer and prior to joining venable I was in-house at Rapid 7 and I was also a Hill staffer again working on cyber security and privacy For about 15 years and now I help people with compliance. I help people with Incident management and focus a lot on hacker law and vulnerability disclosure Hi, my name is Casey. I am the token non-american on the panel and I guess Okay, we bookended. That's right. Okay, so The ashes in a minute. I'm just getting this one. I know let's get this party started No, so I'm the I'm the founder and CTO of bug crowd bug crowd You know, we didn't invent vulnerability disclosure or bug bounty program That was prior art But we did pioneer the idea of putting a platform in between all the researchers that are out there and all of the potential problems that exist On on the defender side of things So that's kind of that informs my point of view on this subject because we've seen quite a bit In the course of the last 11 years of doing this stuff. Also the co-founder of the disclose.io project, which better Also the co-founder of the disclose.io project, which is basically a vulnerability policy standardization Exercise that's been running now for the better part of you know eight years in this form But I think the prior art there goes back to rainforest puppy in 2001 and then stuff that existed before that So really the idea of that is to make the adoption of sane VDP language and VDP terminology easy or at least as difficult to screw up as possible And as a part of that to actually put positive pressure on on top down legislative change Have been involved in things like the charging rule changes out of DOJ You know election security administrator guidance out of Ciccer and in 20 20 BOD 20-01 so on and so forth. So, yeah Cool already I mentioned a rainforest puppy. So maybe we need to rewind a bit in history So just a show of hands. So first of all, who knows what vulnerability disclosure is That's good. All right, like who knows what coordinated vulnerability disclosures Okay, it's a lot less right and who knows rainforest puppy who? Who's heard of rainforest puppy? Okay, so the history the history slipping away. Wow It's actually you should look him up because that whole brinksmanship process is really really interesting But I'm just gonna ask maybe we start with Casey actually like just give us the very short-ported history You know, we're talking like we're over 20 years in really to all this stuff, right? Yeah, that that poll just then makes me feel super old. So thank you for all. Thank you Yeah, I mean look, I think the yeah the history. There's a talk I give titled the unlikely romance and and this is why basically like when you think about where we're up to at This point in time, you know, we have reached a point where hackers and and organizations can at least have a productive conversation And that's really only an advance of the last ten years Through through through my eyes and that's you know partly through the work that bug grads done It's partly through the work that a lot of other people have done to keep pressure on this that effort goes back a long ways and I think You know really what it comes down to when you start looking into some of the stories that come out of the late 80s and 90s It's this idea of security not even being a consideration in kind of the early You know creation of the internet the early creation of software and all of a sudden people start to break things Because they can that hacker spirit starts to manifest in this domain and and you know, everyone probably freaks out You know, you've got like Best example of that's the CFAA which you know legend has it was was written after you know Ronald Reagan watched war games at Camp David and freaked out Basically and went to the DOJ and that you know The CFAA was ultimately the product of that fear like the fact that the you know that prompted the creation of regulation I think that was important to do but that baseline like a freak out reaction I think kind of informed how that legislation was was created There's lots of different examples of that and we've had to basically claw back from that ever since Just recall that Ronald Reagan also watched Encounters of the Third Kind didn't he? That's a different story, right? So Katie used to work for the government didn't you? So so how do so we kind of come all this way There's been a lot of pain along the way particularly for hackers who've been sued and in and badly treated by companies and so on So we've got to the point where you know CVD is a thing and governments are advocating for it So how do governments at the moment handle vulnerability defense and disclosure? I do not represent the government But I will represent but I will represent my own interactions with this particular topic So I will say that in the last I would say probably 2015 or so there was a what I would like to refer to as a watershed moment We really did see dart to see the US government and other foreign governments Start shifting their mindset towards phone from vulnerability Disclosure being a terrible thing to Hey, this is if it's if you see something say something this could be actually really good for us And I think one of the big things that made that change was really the do these hack the Pentagon effort I think when hack the Pentagon happened It was something that was so groundbreaking because all of a sudden the Department of Defense the you know grudgy Department of Defense that's got all the guns and scary things was saying actually maybe we should take these security researchers a Little seriously and bring them in and see what they what they tell us and test ourselves. We are confident So let's let's test that let's not be afraid and that was a huge moment I think that sent a huge signal to To private industry and to other governments and other government agencies so again DOD and the federal executive agencies I know a lot of times we think the US government or the government and we just kind of think big government It's all the same, but they are different and their relationships are very different. So you have So I don't mean to give you a civics lesson. So I'll make it really quick But DOD has what we refer to as a parent-child relationship So there's DOD and then there's Air Force Navy, you know, you get the idea here, right? so they have a parent-child relationship and then the federal executive agencies have really a sibling relationship, so you have Department of Homeland Security Department of Commerce Department of Treasury they all work together, but they're more siblings they don't have the ability to To force each other to do things except in slight situations particularly OMB has the power of the purse so they can force most people to Do a lot of things, but when DOD did that It said a very strong signal to the rest of the government that they should be open to this idea as well And then we started seeing SZA really pick it up as well with the creation of SZA that which happened in 2018 And the Homeland Security really picked it up from there. And so I think that that Really did change it and open the door and now we have things like hack satellite. They hack the DHS It really was groundbreaking and it's very exciting because now instead of the Don't go to the government because the government's scary and the you know law enforcement's gonna show up at your door Now the relationship is if you have a problem if there's an issue go to SZA because SZA will help you and that's very Different for the individual hacker than it was 10 years ago So I like to show that as a really great evolution of the way things could be and should be and our trending I would add on to this the To the question of how the government is treating vulnerability disclosure now a couple of other developments just in the past Couple years an important one is now all federal civilian agencies are required to have a coordinated vulnerability disclosure program So SZA SZA worked with and it wasn't so SZA has the power of creating binding operational directives They're usually not really enforceable unless OMB Attaches you know some some teeth to it and in this case they did so SZA and OMB work together now all civilian Agencies should have a vulnerability disclosure process if you look at you know pick the Department of Education or HHS or something like that You should be able to find their their VDP page And it is in facts a bit more permissive You know it provides a measure of authorization that we don't see as often in the private sector So that's that's one piece. There's there are several others. We're seeing CVD being brought into regulation as well as in particularly for government contractors for IOT devices and As well as best practices in a variety of sectors an important one is the NIST cybersecurity framework So the cybersecurity framework is used it started out for just critical infrastructure But now it's being used in a lot of other sectors as well as sort of the gold standard for risk management and CVD is in there The last thing I'll say about it. It relates to the treatment of hackers specifically We have and starting in about 2018 We saw the Department of Justice in more on more than one occasion step up and create an advocate for specific protection Legal protection for security researchers. They did this we mentioned the DMCA earlier the the DMCA The Department of Justice in two different occasions issued letters to the copyright office saying we should not be charging hackers under the DMCA And it was very influential in getting strong protection for security research under DMCA I think what is about a year and a half ago the Department of Justice also changed the charging policy under the CFAA saying that Prosecutors should decline to prosecute good-faith security researchers for good-faith security research Like they're not gonna you know, they're not gonna withhold if you're if you're if you're doing extortion or something so as far as I'm concerned the federal government has made tremendous strides on Adopting CVD and protection of hackers the places that I think we need to catch up now Actually are the private sector and the states These these things that we've just discussed are not necessarily there in the private sector Not as much adoption of CVD and the states still have like all the things that we've complained about for CFAA are present in state law But there are other countries around the world So so my own experience so I can give you a kind of war story here about how successful really Coordinated vulnerability disclosures concept has become and you see this sort of You know a snowball effect of governments and understanding and adopting it So back in 2017 I wrote a document to create some principles on IOT security and that was in a government committee and I'd put vulnerability disclosure policy as a key requirement on IOT manufacturers and there was a guy in the room and he said We can't talk to the hackers. We shouldn't be talking to hackers and it was that kind of age-old issue that all of us have fought for years and years and years But I in that moment I was really really confident because we already had Two ISO specs so two international standards for vulnerability disclosure and it was already adopted as good practice by companies On the west coast of the States So I was I had that moment I was really confident to be able to say no you're talking complete rubbish and we got it through but that that Attitude still persisted and it was great to have the reference points And I always think that we're sort of standing on the shoulders of giants each time we move this subject forward And you're seeing this thing so that that thing became an international standard and it was adopted across the world So in Australia Singapore India Turkey and it's baked in and it's also now law in the UK through the product security and telecommunications infrastructure at which is a PSTI act and that in turn I know that's not subject to this panel is starting to create new discussions about what we define as computer misuse And that so it feels like that's the kind of next step in this story. Maybe so I want to I want to bring up a couple things Internationally that cast a shadow over this largely positive picture that we're painting So yes, it is true that CVD is being adopted I think not just in the United States, but around the world. That's that's good and helpful When Europe they passed the the NIST to NIST to acts We saw a an infrastructure being set up for coordinated vulnerability disclosure We thought was largely positive applied mostly to critical infrastructure like what we think of as critical infrastructure You know in each member states was supposed to have a process for sort of processing vulnerabilities Then China came out with a vulnerability disclosure law. I'm not sure how many of you are familiar with some of the details of that law but essentially when it comes to vulnerability disclosure as a as a an individual hacker you have the Ability to disclose your vulnerabilities to the Chinese government directly or to the vendor Who then must disclose to the Chinese government and as a vendor you are required to disclose vulnerabilities that you Receive to the Chinese government. So you're encouraged to have a Vulnerability disclosure policy you're encouraged to have a bug bounty, but it's a giant sucking sound of vulnerabilities flowing to the Chinese Government That's right. That's right within 48 hours now the the other development I just want to highlight here as well is in in in Europe presently The EU is currently considering something called the cyber resilience act the CRA and the cyber resilience act has has Is flown under the radar quite a lot in the United States? I'm we're only talking about the vulnerability disclosure part of it But this is a this is a huge law it will have a GDPR like effect on security and it is going to pass It is going to pass. They're actually in an advanced stage. Okay vulnerability disclosure under the under the CRA There are three different versions, but the nut of it is that if you Have an actively exploited vulnerability So you have software in the EU and you discover you have an actively exploited vulnerability You must notify either an ESA or scissor depending on how it shakes out within 24 hours Then 24 hours if you've had an actively exploited vulnerability 24 hours later it is likely not patched right is likely not mitigated and you are telling government agencies about it now Again, there's multiple versions. They're going to consolidate them But some of the versions would have that first agency that you talked to send it to Other agencies who then send it to other agencies leading to about 55 government agencies in the EU if you have software It's deployed across the EU It so it is a rolling list of software packages with unmitigated vulnerabilities the point is so CVD great But we are also sort of seeing that process Coopted in a way right we're going further left of boom To the point where we are sort of forcing disclosure before people are ready and doing it in situations where we are putting those Vulnerabilities at risk of being used for surveillance or or tipping off adversaries So what we're seeing is a kind of government's potentially taking advantage of recent companies already take advantage, right? of situations and you know, they're always constant issues of NDAs and and Private disclosures and and sort of almost unwritten threats against researchers So it feels like they kind of were blindsided by it originally and then now they kind of get into grips with it I mean, what do you think about it Katie? Would you agree? Yeah, I think that that's that's exactly the case. I think that there as the as and I'm a little bit concerned because as I see the Coordinated vulnerability disclosure principles be adopted across industry But there are still a lot of big companies that don't have Coordinated vulnerability disclosure programs or that are trying to stand them up And these are international companies So as these regulations continue to some are good regulations some are bad regulations and as they continue You start seeing industry pull back and so that progress that's being made Positively is now being pulled back a little bit Think about this from an industry perspective if you have a product and it has a vulnerability in it 24 hours Have you even had an opportunity to triage that vulnerability yet? Do you know it's a vulnerability and now the whole idea of Coordinated vulnerability disclosure that was something David said Do you know about vulnerability disclosure? Do you know about Coordinated vulnerability disclosure? Coordinated vulnerability disclosure means that All parties agree that they will treat this vulnerability under embargoed status until a point where all parties are able to Accurately disclose that vulnerability in a way that doesn't give an adversary an advantage right when a mitigation is developed and Disclosed so if you're disclosing vulnerabilities within 24 hours What you are doing is you are enabling an adversary to be able to exploit a customer or end user And I don't think that's the goal But you see right there you have a law that's about to be passed and you have the technical details of that and the impacts Of that are so wide-reaching You get to a point where you say why are we even doing Coordinated vulnerability disclosure anymore? Why don't we just put it all on Twitter or simply not have a CVD program? And that's dangerous and it's it's undoing a lot of the progress that's been made over the last 10 years So I Hate to say you know it feels like a chill Spreading across the world Is that what's gonna happen Casey? Yeah, sure. Let's go with that Look, I think in general like the way that I'd I'd kind of render out what's happening as You know someone who lives in in the US in San Francisco, but also has a home functionally in in Australia Right. I'm thinking about this through the Western lands And what I see happening is that Western countries are trending towards Transparency as a as a mode of resilience right? Transparency is any fragile. That's kind of a design principle that's being used to push this along And I think that's a lot of how it's been sold frankly, you know within government It's it's a lot of how it's been pushed down here on how it's been adopted And that's certainly something that you know, we've taken advantage of as bug crowd. I've seen you know The folks working on the disclosure projects take advantage of as well It's just a security model that seems to make sense, right? On the flip side of it, you know non-western countries do tend to be trending towards Control or aggregation just in general because they're that you know ultimately there's a there's a motivation there to build up firepower Like they want they want resilience. They want defense They want to be able to fix the bugs that get found but they also want to increase their capability From from a sovereign, you know capacity standpoint and this is a pipeline for that So, you know, I do see it kind of heading in that direction and obviously that's a that's a you know 300,000 foot observation I do expect that to continue because ultimately I think Transparency is as a resilience strategy wins in the end because it's fundamentally antifragile, right? But if the other approach Manages to land the first set of punches That could change the the outcome So you touched on something there which there's been articles about one country hoarding vulnerabilities recently actually so is this maybe this kind of I want to say arms race. There's probably not an arms race. It's just a Don't want it quite what it is. What what is it? Like yeah, I think I mean, I think you know the International relations environment's gotten progressively more tense, you know, and it's always been tense But I think that tension has become more obvious You know post-COVID right so I think yeah the idea of yeah And this is through the lens of an Australian you look at what's this is all on public record Like there was a budget of I think 97 billion dollars in a project called red spice Which is specifically around standoff deterrent capability in case there's something that goes hot in the in the region right for You know reasons that should be sort of fairly obvious that the Aussies are nervous about that I think it's 2.7 billion of that's going into cyber and that's offensive and defensive So it's it's capability stockpiling is ultimately what it's about. That's what that's what I've kind of observed is That there's a lot of sort of you know Endorsement of offensive now that wasn't there before right yeah I think it used to be a dirty word and that's that's I mean you think about these conversations always go back to the FBI versus Apple and in the San Bernardino case. I think it was 2016 and at the time You know to create Zero-day and weaponize it for offensive use of any so it was kind of dirty like there was this sort of stench around it But then you look at the there was a lead time between when that happened and when it came out who was actually responsible for that As an organization is like four or five years later They're actually celebrated and it was an Australian company. It was actually celebrated as an Australian start-up story So in that time it went from a dirty a dirty word to a thing that was kind of accepted Which is amazing as I said the sort of dark secret forensics tools These companies try to like play off how in a genius. They are but a lot of them are buying Vulnerabilities off the grey market right and there's a healthy like you can go to the Zerodian website and see their little you know table of elements and the prices that attach to them and I know obviously project zero has been trying to counter some of that stuff, but you know Not a lot of people know about that either today I mean any of us sort of discuss that a little bit more about The grey market and vulnerabilities and and I guess how that operates is Sure got the Zerodian website, I mean it exists, right? Yeah, it absolutely exists. I think I think vulnerability discovery You know The way the way that I try to pass this out to explain it and even to think about it is that there's defensive and offensive vulnerability procurement right the defensive procurement cycle Basically you get the bug and you kill it right the offensive Cycles where you get the bug and you actually productize it and and as a part of that you would you work to keep it secret So that you're up your capacity stays operational on the wild and doesn't get burnt So everything leading up to that decision of whether or not you you burn it or keep it alive looks pretty much the same It's it's basically vulnerability research You know discovery like thinking through impact thinking through usability like where the attacker is going to be coming from or what kind of Capability and access they need from that vulnerability is not every vulnerabilities eligible for this type of you know purpose, right? But there's a lot of researches out there that can do that stuff I think you know the thing that's the thing I find interesting at this point in time is even with some of these legislative changes that are happening Like gray is the perfect way to describe it because I think it's becoming less illegal or less kind of tightly Regulated in a way that I think will actually kind of dictate some of the outcomes that we'll see if you Think forward ten years Also, also now a factor in the in the gray market a couple things one then and you know case he alluded to this but the but the the profit the the price point for Vulnerabilities being used offensively is going to be higher than for defense It puts defense at a disadvantage and part of the reason as case he said is you know for for defensive purposes You want to you want to plug the vulnerability offense can be used multiple times Or you sell it under NDA so that you get a higher price for it so that you can you can sell to sell to a single buyer It is a it is an issue, but the other force also though is You know we we want to encourage this being used, you know this this process for defensive purposes The the White House is is currently looking at ways to deal with the offensive market There was recently an executive order on commercial surveillance Brokers, I think I think four of them went under sanction recently as well And so it is it is difficult to sort of you know to find that That that that nexus to human rights and be able to distinguish between the use of vulnerabilities for you know Legitimate police operations versus oppressive purposes, but that space is being looked at now Just just really quickly on the pricing piece Harley's Harley's exactly right, and this is actually a phenomena that we see a lot of Actually demonstrated in in bug bounty, which is you know defensive Procurement so on on the one side, you know if you're selling a vulnerability that's going to be productized like that is Inherently more valuable as a transaction the thing that works in favor of the defender is you've got the prisoner's dilemma So if Harley and I have both found a bug And I'm trying to sell it off to the to the offensive buyer He's trying to sell it off to the defensive by if he lands the punch first Then I lose the opportunity for the bounty plus the opportunity to exploit the bug because it gets burnt at that point in time So that's that economic kind of Delta works in both directions So I'm just gonna comment on the and kind of what Carly was saying when we think about vulnerabilities used offensively I think We're in an age now where we have to seriously consider the impacts of the things that we do and I'll use an extreme example Here, but anything can be used for good and anything can be used for bad and think about nuclear power It developed nuclear power for power plants nuclear power for weapons and the difference there can be things like Regulations and informed decision-making and an informed community because we have the ability to influence the decision-making and the the legislative process and the regulations and standards that go around these This market and I think we're starting to see that with the White House Which is a wonderful thing and I'd like to see more of that because we're at a cusp now where it's becoming very common to understand Cyber security there is no real world and online world or anymore, you know used to be oh my god My Twitter went down. What am I gonna do? Now you can't get a job without the internet, you know coven really accelerated that for us So it's becoming more in the forefront of humanity that we understand How cyber security works and that we have that informed process because if we don't it will pass us by and that's Something that I would empower everyone It's part of the reason the policy village is here a policy department is here at Defcon to help people who are very technical Talk to people to policy makers so that we can have an informed decision-making process and I think to close the loop also on on policy and the What we were just discussing as far as offensive versus defensive use of vulnerabilities. We should be directing our policy developments towards Streamlining the ability for people to disclose vulnerabilities and so that what we had talked about at the outset about greater adoption of CVD That's one way to do that The the the greater legal protection for hackers for acts of good-faith security research is another way to do that There's still room to go though. We talked about China's vulnerability disclosure law. We talked about the EU Starting, you know, if you are a hacker and you are disclosing a vulnerability to a company And you know that company then has to disclose that to a whole bunch of government agencies You don't know what's gonna happen. There's a couple things as a as a researcher You may feel conflicted about making that disclosure And then as a company you may not want to have to kick off that process every time someone discloses to you So we are we are seeing policies that are kind of going in both directions where we were making it more difficult or at least a greater moral choice a moral conflict for for vulnerability disclosure at the same time that we're easing it in some ways another great one that We are hopeful that the US government will take on is sanctions So there are there are questions about the the extent to which Vulnerability disclosures are a sanctioned event or sanctioned transaction if you are a US company and you're receiving a vulnerability disclosure from a Individual and a comprehensively sanctioned nation or somebody that is two hops removed from the SDN list And you are yes can follow up questions, but not paying or anything like that You know, there's no there's no money exchanging hands. That should not be a sanctioned event As of now, this is in a gray area But this is something that we are hopeful that can change and it is for the purpose of you know Greasing the skids for defensive use of vulnerabilities taking away incentives taking away that easy path towards offensive use I guess for some researchers Especially, you know, some of them are naïve ones They they might not even realize that they were talking to a nation state as well So there was the infamous conversation that the George Hotser at a iPhone recording that happened And it could have been naïvy, but was he trying to sell a vulnerability to China? that was the debate at the time and I guess Nation states might get a bit smart and just false flag the false flag the researcher, right? Oh, yeah, yeah So I just want to like so frequently when I talk about this with companies they get mixed up between bug bounty and vulnerability Disclosure they also get mixed up with vulnerability disclosures as well so I was I was giving it as doing a deposition to a government committee and Clearly they didn't understand they thought vulnerability disclosure was forcing companies to disclose vulnerabilities publicly So I just want to so let's start on the bug bounty thing. So I guess Casey First of all just explain the difference, please Yeah, so so When I speak to this, I think there's a there's a added piece there that bug bannies often used into change With crowdsourcing at this point in time as well. So it's it's like words are hard basically but I think for the purpose of like the regulatory kind of Renderings of this and I think how you know most people coming into it think about it The definition I go to is in this 853 r5 Which is basically that a vulnerability disclosure program is a it's an intake point It's a policy and it's a process that allows people from the outside world to submit a vulnerability into an Organization and to have some sort of expectation of what happens next effectively and that's a that's a butchered version But that's the cliff notes of it But what it also does is it extinguishes it from a bug bounty program So it basically says a bug bounty program is if you do everything that we just said But what what you also do is you reward someone with cash If they if they do this and they're first to find and report a unique issue Usually the way it works is that's that's kind of the model So the first to find is the one who gets paid and the more impactful the issue the more they get paid So what you're ultimately doing? You know on the proactive side is incentivizing the things that you want and actually mimicking kind of some of the economic You know incentives that exist for the adversary So that's that's the purpose of and how it works But you know the thing the reason that confusion happened because obviously I've had a box for a seat for a lot of a lot of this story Bug bannies just got sexy really fast like the thing that happened with with hack the Pentagon, which was huge hugely valuable I think for You know reforming the public perception of what a hacker is and actually Helping tell a story of their place in the safety of the Internet It's like if the apex predator of the planet relies on 16 year olds to Give them security feedback Then maybe I should do that too right and like that was a pretty massive shift in thinking that happened at that point But it was all talked about in terms of it being a bug bounty And I think you know like us as an organization I think some of the other platforms that joined after after we started the category, you know Hackers getting paid money and being able to celebrate that that's a thing that's exciting to talk about and that's fun So all of this led to most of the focus of terms of art actually being around bug bounty Even though like frankly, it's it's actually the minority You know from from my from my own perspective like VDP is something that absolutely every like that is a cost That's a bar of entry. You know must be this high to ride the the Internet Type of thing at this point in time, you know bug bounty In the public sense is discretionary Some organizations are ready to do that others aren't because they're just not ready to remediate or listen to the Internet in that way One other one other good distinction is authorization All right, so for for a bug bounty you are you are authorized to you know to try to find vulnerabilities and use certain testing methods against a Defined scope of assets a vulnerability vulnerability disclosure policy can do that You can provide authorization, but many don't many are just a channel saying look if you have if you find a vulnerability disclose it to us But we're not guaranteeing that you know, we are you know to get out of jail free or anything In fact the US governments for civil agencies does provide authorization There there it's it is the more advanced form of VDP where there is some authorization Which provides and the reason authorization is so important is because it provides legal cover For the security researchers that are trying to find the vulnerabilities But to Casey's point about VDP being should be a fundamental practice at this at this stage You can have a very basic VDP that does not provide that authorization and you are still you know Edging into that world that is still helpful I'm gonna jump in real quick. So to simplify a VDP is to see something say something a Bug bounty is an invitation to hack So there's a difference there, and I like to think of bug bounties payments or rewards I don't like to think of them as rewards I like to think of them as reimbursement for your time because how much time and effort was spent in Researching that vulnerability triaging that for not triaging developing the proof of concept submitting that vulnerability to a company going through the the friction of even filling out a submission because each company wants it a little different and Going through that whole process and then working with that company. Maybe that company has follow-on questions that back and forth so I see it as a Reunbursement for your time rather than a reward and I will tell you I work at a Fortune 50 tech company And this is becoming a very Common way of reframing the narrative of what's actually happening It is a way to offset the dark market and give people an opportunity those who want to do good in the world and those who have a Intrinsic motivation to be positive and to help defend it's an outlet for them But also it's a it's a mechanism of saying thank you and we appreciate your time and recognizing your time That's a really good point and I've forgotten to raise this topic But the value of labor is a real big question right for security researchers that are people many Hackers feel they're essentially being exploited by governments and companies for their time And that there's there's not a recognition of that but it was is that a fair statement or Do you do you guys have different views to that? Sure I Think that you know the the other the other piece like frankly this this goes back to one of the reasons I've founded bugger out in the first place is that it does Distribute access On both sides to the answer to the question that they've got which is is this thing vulnerable or not? So you think about that you switch that into the defender side You know previous to crowdsourcing previous to bug bounty You basically held hostage to whatever alley rate you're getting to get consulting and ultimately like one person being paid So you've already got a supply-demand imbalance there And then you've got the problem of one person being paid by the hour Probably never being able to actually outsmart all the potential adversaries that could figure the solution out before they can So I think there's there's a counterbalance to to that what you just brought out in that You know, I think the security consulting industry has been Incredibly overpriced in different areas with with a very much a caveat and to approach to quality What this does is it actually brings quality to the fore? So I think that there's that part of it. That's pretty important to call out but also, you know on the on the payment side It's an interesting one and obviously I'm gonna have some bias in my answer here, but You know people don't have to participate Like there's no arm being twisted in terms of their own participation and I would add to that like I Partly agree with with Katie how you are rendering what the purpose of payment is I actually think about it more in terms of the value of the data like if You know the organization running a program has a question Whoever ends up giving the answer has that answer then there's a value to that transaction That's more tied to the data in terms of the payer right on the researcher side Maybe it's got to do with the amount of time the NF that they put into it But ultimately that doesn't really matter in terms of the marketplace dynamic there if that makes sense Yeah, and I guess it depends where you come from in the world and what the cost of living is right? You know the value might be huge might be life-changing. Um, so I just really we don't have much time left I just really want to give the audience the opportunity to ask any questions If you'd like I know Casey has to dash off to to deliver a talk So I don't want to hold him back, but you have a great opportunity to speak to with some of the world's greatest minds in Vulnerability discussions, so David Good afternoon super interesting Whatever folks's thoughts about I'll say US government because we got multiple governments sort of represented here US government coordination as it relates to very recent regulations put out by our good friends at the SEC that Can actually end up driving Victims to disclose like really sensitive stuff in the middle of their trial Totally agree. I think the SEC has made a very bad move So for those of you that are not familiar The Securities and Exchange Commission has has actually historically been a very forward-leaning Agency when it comes to cyber security and they actually have done some really great work in trying to push public companies towards being more transparent about their security posture and You know and securing their their their systems of control for financial reporting So so I want to have that caveat So they they recently came out with a rule the rule does a lot of things And much of the rule I think is positive There is one aspect of the rule that's getting a lot of attention and rightly so and this is on incident reporting And so what that does is it requires all publicly traded companies To report their cyber security incidents within four days of determining that those incidents are material And what that means is materiality means like that you determine it's significant enough that you know Somebody ought to know about it, but as we discussed with regard to vulnerabilities The with that four days you may or may not have contained or mitigated your incident now that reporting through the SEC is public It's public by default. So it goes you report it through your 8k form your 8k becomes public as an investing document And that is the Securities and Exchange Commission's purpose is to provide information to investors It is not really to you know with this regulation to strengthen cyber security We the SEC has heard that and they they heard it not just from private industry But from from consumer groups as well as I know from other government agencies US government agencies I was surprised that they kept that timeline in Arguably companies were already supposed to disclose their cyber security incidents. What's new is this timeline this four-day timeline after materiality I thought that they were going to have something about you know Maybe if you haven't contained or mitigated your incident perhaps you can delay disclosure You know and have some other things on top of it no dice instead what they said was well Here's our here's our exception if the attorney general asks the SEC in writing To delay because there's a threat to national security or safety then then they there can be a delay It's like that is not going to happen right that is that is a very very low number of incidents so for those of you that work at public companies you will probably Functionally what's going to happen is if you have a cyber security incident You're going to have to draw in more parts of your team You're going to draw in your corporate attorneys who should be familiar with the concept of materiality as well as your corporate Communications because you will be disclosing this incident publicly within four days Hi, I have a question about safe harbor One of the things I've noticed recently is that it's pretty common for safe harbor language to exist in programs launching now But I've noticed a trend of them including request per second limitations And I would like to know where I'm wrong in my logic If you for instance take visa they launched a program recently with a one request per second limit for testing You can't load a web page and you know you're exceeding that automatically Why is safe harbor not meaningless in that scenario? Sounds like poorly written rules by people who were uninformed but Yeah, but you see like That I won't I mean what Katie said like I think there's basically I think there's There's a bunch of things like that that you see a lot of a lot of the recommendations and policy kind of guidelines that exist in in bug bounty programs in particular a basically copy pastor that's like 20 years old or more right so Yeah, there might have been a point in time or some some organization or some program at some point in time that said Okay, here's a particular rate limit that we want to put on this program because of blah blah blah it made sense, right? But the idea of that being You know a useful way like really what they're saying is don't please don't hammer our stuff Right, like the idea of actually putting a specific number on that's a bit silly But I kind of get the intent behind it I think with with with the safe harbor component of it You know if because usually safe harbor clauses are written as a if this then that and that this is If you follow the rules these conditions then that will you know authorize you against CFA a exempt you from any circumvention for the DMCA will Exempt you from TOS violation and we'll just say that what you're doing is a good thing Right, that's generally how it works, and yeah your point around like That this actually being pretty important alongside the that It's well understood. I think you know Harley would probably be better to jump in on the legal side But I can what I'm trying to do is paint a picture of why that happens and why that exists and oftentimes It is a balancing act between like getting you know creating comfort on On the side of the organization putting these policies out there and it being like fully complete from that side So before we take the next question or before Harley comments I'm gonna give you your your fleeing rights to leave the room So please thank Casey for joining us and good luck with your talk so It's all right. You all don't have to leave you can stay and talk to us So next question Thank you. I'll be cognizant of time, but I think this is pretty relevant Okay, so government starting to mature and enable their citizens to report vulnerabilities We think that's naturally a good thing everyone on the security research or front You can think hey I have a little extra protection here that I had before and can sleep a little easier when you report something but as government start to kind of wisen up and like all around the world not just ours or or any other particular ones and Encourage people to report vulnerabilities. What's to stop governments from starting to really emphasize other countries? You know citizens of other countries reporting vulnerabilities to them because we might be friendly with some folks in public But behind the scenes there's always an information war race going on and I was curious if everyone had a take on that I Can't hear very well. Oh, I'm so sorry So yeah, yeah, so basically as this becomes I guess sort of quite nationalized reporting To these schemes Does that then have sort of blow back on the individuals and their nationality? So for example in the mobile industry, we have this pan industry reporting scheme We have people from all different countries from all, you know individually and companies that are in different countries Are they going to be kind of do you think that some companies countries may start to restrict people from nationalities? The just because of where they're from basically so I think so I think the answer is yes But I also think it different differs by country So China's vulnerability disclosure law that we touched on earlier. It does in fact Have a restriction on reporting your vulnerability outside of outside of China I don't have the exact language in front of me, but there is that that is in there How I'm actually very curious to know how how companies are are, you know actualizing this Particularly multinational companies that are based outside of China, but have operations in China But but yes, it's so if you are an individual there like like I said you report to the vendor who reports to the government or you report to The government you are not authorized It's in fact there are criminal penalties if you make it public or if you report to some other government outside of China For but most other most other nations that I'm aware of even the the the law that I would describe as as negative on vulnerability reporting this the cyber resilience act in the EU that that included most other laws are Not do not really require you to report directly to government as an individual, right? So you report to the vendor and then the vendor has certain obligations But you're not punished or restricted generally as an individual from reporting outside I don't see that as a trend so much outside of outside of China And maybe there are other countries that are more authoritarian that I'm you know that have something like that I'm sure I'm sure there's some unspoken codes in certain countries, but I'm not really aware of them personally now the other sorry the other restriction is on the exports are sorry the Sanction side I'll let I'll let Katie talk about that But that is that is the other way that you know they can discriminate against individuals based on their geography Yeah, well just let me finish the and we'll go ahead So there is one other way and Harley just said it when we think about sanctions US government sanctions specifically and this happens across the world there is There are a couple ways sanctions impact But one of them is if you are in in a researcher in an embargoed country If you try to submit a vulnerability to a US company that US company may not be able to receive it It may simply IP block you so they can't actually even receive the information from a sanctioned company because they don't Want to have the possibility of having a sanctioned event happen So they simply do IP blocking and so that means that you can't prove a negative I don't know how often that's happening because it's being screened and so that's a Perfect avenue where you're having individual researchers who in some cases may be taking great personal risk upon themselves For trying to do the right thing and report it to the vendor prior to reporting it to their highly oppressive or Government, you know, so sanctions clarifying sanctions and upgrading sanctions US sanctions and sanctions for other countries across the United States is Something that should be taken very seriously. Those regulations should be should be Updated to apply to reality as we understand it and I think Lynn's gonna kick us off now So, thank you