Help us help you

to be taken more seriously

Recording

youtu.be/KdhWjmCu9_Y

Ko tēnei taku mihi ki ngā tāngata whenua o te rohe nei.

I greet the Indigenous people of this area.

E mahi ana au i te hapori Mahara mō te tekau mā toru tau.

Ko au te kaihautū kaupapa mō Mahara, te pūnaha kōpaki pūmanawa herekore.

E mahi ana au i Catalyst IT.

Ko Kristina Höppner ahau.

Nō reira, tēnā koutou, tēnā koutou, tēnā koutou katoa.

I've been active in the Mahara community for 13 years.

I am the project lead for Mahara, the open source portfolio system.

I work at Catalyst IT.

I am Kristina Hoeppner.

Thus, hello to you all.

Help us help you

to be taken more seriously

Faily Monster

I found a vulnerability in www.company.biz.

  1. Steps to reproduce
  2. References
  3. Mitigations

Dear Faily.Monster.net

All your open source community town hall meeting minutes are publicly visible. These may contain sensitive information.

Dear Faily Monster

2:30am: Hello, I found a vulnerability...

3:56am: Hi. Can I get a response?

6:19am: Hi. I haven't yet heard from you.

8:27am: Can you please reply?

Dear Faily Monster

I ran an automated penetration test suite on demo.faily.monster and found:

  1.  
  2.  
  3.  

Please fix and assign CVEs.

Dear Faily Monster

[Not the info sec researcher]

I stumbled upon repository.git and was wondering if you knew about this issue. It has a CVE number assigned.

Dear Faily Monster

Faily's tips

for security researchers (hax0rs)

Don't rely solely on automated tools; check the context.

1

Don't disclose others' vulnerabilities.

2

Read published security information.

3

Get in touch with the team privately.

4

Give the team time to respond.

5

Faily's tips

for organisations

Don't panic when you are contacted.

1

Read resources and guidelines.

2

In Aoteaora: CertNZ, Privacy Commission

Have a responsible disclosure policy and a contact.

3

Consider outsourcing the handling of disclosures.

4

For example, bugcrowd, HackerOne

Respond in a timely fashion and engage with the researcher.

5

Kristina Hoeppner

kristina@catalyst.net.nz
anitsirk
catalyst.net.nz

Contact us

Dean Carter

dean@safeadvisory.co.nz
failymonster
safeadvisory.co.nz

Faily / cookie monster head with a broad smile and rolling eyes. Source: http://tiny.cc/faily

Help us help you be taken more seriously

By Kristina Hoeppner

Help us help you be taken more seriously

Presentation by Faily Monster and Kristina Hoeppner at Kawaiicon 2 on 2 July 2022. Recording: https://youtu.be/KdhWjmCu9_Y

  • 671

More from Kristina Hoeppner