Help us help you

to be taken more seriously

Recording

Ko tēnei taku mihi ki ngā tāngata whenua o te rohe nei.

I greet the Indigenous people of this area.

E mahi ana au i te hapori Mahara mō te tekau mā toru tau.

Ko au te kaihautū kaupapa mō Mahara, te pūnaha kōpaki pūmanawa herekore.

E mahi ana au i Catalyst IT.

Ko Kristina Höppner ahau.

Nō reira, tēnā koutou, tēnā koutou, tēnā koutou katoa.

I've been active in the Mahara community for 13 years.

I am the project lead for Mahara, the open source portfolio system.

I work at Catalyst IT.

I am Kristina Hoeppner.

Thus, hello to you all.

Help us help you

to be taken more seriously

Faily Monster

I found a vulnerability in www.company.biz.

  1. Steps to reproduce
  2. References
  3. Mitigations

Dear Faily.Monster.net

All your open source community town hall meeting minutes are publicly visible. These may contain sensitive information.

Dear Faily Monster

2:30am: Hello, I found a vulnerability...

3:56am: Hi. Can I get a response?

6:19am: Hi. I haven't yet heard from you.

8:27am: Can you please reply?

Dear Faily Monster

I ran an automated penetration test suite on demo.faily.monster and found:

  1.  
  2.  
  3.  

Please fix and assign CVEs.

Dear Faily Monster

[Not the info sec researcher]

I stumbled upon repository.git and was wondering if you knew about this issue. It has a CVE number assigned.

Dear Faily Monster

Faily's tips

for security researchers (hax0rs)

Don't rely solely on automated tools; check the context.

1

Don't disclose others' vulnerabilities.

2

Read published security information.

3

Get in touch with the team privately.

4

Give the team time to respond.

5

Faily's tips

for organisations

Don't panic when you are contacted.

1

Read resources and guidelines.

2

In Aoteaora: CertNZ, Privacy Commission

Have a responsible disclosure policy and a contact.

3

Consider outsourcing the handling of disclosures.

4

For example, bugcrowd, HackerOne

Respond in a timely fashion and engage with the researcher.

5

Contact us

Faily / cookie monster head with a broad smile and rolling eyes. Source: http://tiny.cc/faily