Via #BruceSchneier ±1 hour ago: "Operation Triangulation: Zero-Click iPhone Malware"

https://www.schneier.com/blog/archives/2023/06/operation-triangulation-zero-click-iphone-malware.html

#fz_links / #VulnerabilityDisclosure #iMessage #iOS #Apple #infosec #malware

Protect your business and build trust with customers and stakeholders by creating a comprehensive vulnerability disclosure policy! Our ultimate guide shows you how to do it right. #VulnerabilityDisclosure #Cybersecurity #EthicalHacking https://www.cyber-consult.org/secure-your-business-with-an-effective-vulnerability-disclosure-policy-the-ultimate-guide/

Sushiswap Smart Contract Bug Results in Over $3M in Losses; Head Chef Says Hundreds of ETH Recovered - According to several reports, a bug introduced to the decentralized exchange (dex)... - https://news.bitcoin.com/sushiswap-smart-contract-bug-results-in-over-3m-in-losses-head-chef-says-hundreds-of-eth-recovered/ #vulnerabilitydisclosure #decentralizedexchange #decentralizedfinance #routerprocessor2 #routeprocess02 #matthewlilley #smartcontract #sushiprotocol #vulnerability #2023defihack

Hall of Fame für Scherheitsforschende

"Vorbilder
Danksagungen an diejenigen, die Sicherheitslücken melden, sind insbesondere in großen US-amerikanischen Konzernen wie Google und Microsoft längst gang und gäbe. Aber auch das BSI und die Bundeswehr haben bereits eigene Webseiten mit Danksagungen; im Bereich der Medien ist das allerdings bislang eher unüblich."

#VulnerabilityDisclosure #VDP #VDPBw #Schwachstellenmanagement

https://www.heise.de/news/In-eigener-Sache-Die-Hall-of-Fame-Heise-bedankt-sich-fuer-Bug-Reports-7531502.html

New podcast about the Vultron protocol for Coordinated Vulnerability Disclosure https://youtu.be/8WiSmhxJ2OM

Learn more about Vultron at:
https://insights.sei.cmu.edu/blog/vultron-a-protocol-for-coordinated-vulnerability-disclosure/

#cvd #mpcvd #vulnerability #vulnerabilitydisclosure

This is awesome. The Centre for Cyber Security Belgium (CCB) has adopted a framework that protects individuals or organizations from prosecution (if they play by the rules) when they report security vulnerabilities affecting any systems, networks, or applications located in Belgium.

https://ccb.belgium.be/en/news/new-legal-framework-reporting-it-vulnerabilities

#infosec #vulnerabilitydisclosure

100th post, as fine a time as any to do the traditional #introduction before nobody on #mastodon does them anymore.
I’m a #hacker , a parent, a founder & CEO, government advisory board member, cat food servant, defender and participant in democracy, & an arm wrestling and karaoke enthusiast — not necessarily at the same time, but not opposed to trying it all at once either.
Carpe brachium karaoke as they say. 💪🏼🎤
Here we go. Get a snack & some water, this is long. 🍪 🥛
My professional passions include #SystemDynamics & #security with my #focus on helping organizations & governments develop healthy sustainable #VulnerabilityDisclosure programs that may end up growing into a #BugBounty program, or helping existing programs mature & evolve.
🌺🏝️ 🌺🏝️ 🌺🏝️ 🌺🏝️
🌺I founded & run https://www.Lutasecurity.com & we employ dozens of people, mostly in the US, to help some of our customers manage their #VDPs and #BugBounties as internally-placed personnel.
📜Services: https://www.lutasecurity.com/services
💻Hiring: https://www.lutasecurity.com/careers
💵Referral bounties: https://www.lutasecurity.com/referralbounty
🌺🏝️ 🌺🏝️ 🌺🏝️ 🌺🏝️
👩🏻‍💻💰🛡️ 👩🏻‍💻💰🛡️ 👩🏻‍💻💰🛡️
I helped launch #HackThePentagon in 2016, which was the first bug bounty of the US government & the first time it was legal to hack the USG.
👩🏻‍💻💰🛡️ 👩🏻‍💻💰🛡️ 👩🏻‍💻💰🛡️
This was after I created Microsoft’s first bug bounty programs in 2013, paying out the most at the time for brand new exploitation techniques, which would later lead to me directly helping the US renegotiate the #Wassenaar Arrangement to clarify “intrusion software” and “intrusion software technology” export control exemptions to more easily allow for hassle-free exchange of 0day & malware samples across borders for vulnerability disclosure & incident response.
🛠️💻 🛠️💻 🛠️💻 🛠️💻
I also started two vulnerability research programs, Symantec Vulnerability Research & Microsoft Vulnerability Research. The latter was also the first formal major vendor multiparty #SupplyChain vulnerability coordination & disclosure program.
🛠️💻 🛠️💻 🛠️💻 🛠️💻
I now serve on 3 Federal advisory boards in cyber.
⚖️NIST ISPAB: https://csrc.nist.gov/Projects/ispab/members
💱Commerce ISTAC: https://tac.bis.doc.gov/index.php/documents/members-listing/422-istac-website-listing/file
🚨DHS CSRB: https://www.dhs.gov/news/2022/02/03/dhs-launches-first-ever-cyber-safety-review-board
🎙️Fun fact: Despite mainstream media lip service about getting diverse voices on TV, and my extensive direct experience in US domestic & foreign cyber policy & norm-setting, I have *never* been invited to be on broadcast news to talk about it. Not one time. But there are the same dudes with none of my experience showing up on TV all the time.
📺 Email Press@Lutasecurity.com if you can change that.
📺📺📺📺📺📺📺📺
⚖️💸 ⚖️💸 ⚖️💸 ⚖️💸
👩🏻‍⚖️ Speaking of gender equity, I was the lead plaintiff in the attempted class action gender pay and promotion discrimination lawsuit against Microsoft.
💵💪🏼 https://www.theverge.com/22331972/pay-equity-now-pledge-katie-moussouris-microsoft-lawsuit
When it failed to get class certified due to some legal gotchas, NOT because of lack of data and evidence, I decided to drop my case and founded https://www.payequitynowfoundation.org/blog & created
https://www.manglonalab.org/ to fight for #PayEquity in our lifetime.
⚖️💸 ⚖️💸 ⚖️💸 ⚖️💸
🌸Another fun fact: I’m asked about the gender stuff way more often than any of my professional work or national security work. I view this as The Lady Tax & I’m all paid up thanks.
🙅🏻‍♀️Don’t ask me about how to attract more diverse candidates, don’t ask me to mentor your mentee, and don’t ask me for any more free labor. Don’t ask any historically marginalized people to do free labor, especially to solve your diversity puzzle.
👏🏼I highly recommend https://blacktechpipeline.com/ if you are serious about not just hiring but welcoming more black workers into your company. There are specialty recruiters out there for you to pay, so don’t ask every woman or person of color you know to help you with that unless they are being paid to do it.
👏🏼💰👏🏼💰👏🏼💰👏🏼💰
🧩 Miscellaneous bits if you’ve made it this far is that I studied molecular biology, biochemistry & mathematics but dropped out to become a systems administrator, a professional Linux developer, then a hacker for hire.
🔐 I still hack by accident (because hacksidents happen), and nobody should have to be the coauthor/coeditor of the International Standards on how to do Vulnerability Disclosure to get an organization’s attention.
👩🏻‍🏫 ISO standards overview: https://m.youtube.com/watch?v=-L3DNZtK8lc

📲 Clubhouse hack: https://www.wired.com/story/clubhouse-bug-lurkers-ghost/
🔐🔐🔐🔐🔐🔐🔐
💸💸💸💸💸💸💸
🙄 Despite my entire career being technical, when my company tried for venture capital funding to build something cool, we were met with sexism & lack of imagination & I was hilariously asked more than once if I had a technical cofounder.
It’s cool, joke’s on them. We’re #profitable and growing.
🤨https://www.vice.com/en/article/xgyvza/this-hacker-is-trying-to-close-the-gender-pay-gap-in-cybersecurity
💸💸💸💸💸💸💸
🏛️🏛️🏛️🏛️🏛️🏛️🏛️
I participate in Democracy with more than voting. Anyone with the bandwidth should look into doing it too.
1. Google “find my Legislative district”
2. Go to your State website & search by your address
3. Look up your Legislative District’s (LD) website to find out how to join
4. Attend monthly LD meetings
5. Run for Delegate per LD or be appointed like me when not enough people do 1-4
🏛️🏛️🏛️🏛️🏛️🏛️🏛️
👋🏼✌🏼👋🏼✌🏼👋🏼✌🏼👋🏼✌🏼
🛑Ending abruptly is on brand for me as a neuroatypical person, so I’ll leave you with this thought:
🐈 I named my 17 year old cat Scapy (rhymes with happy) after the Python tool of the same name. Because he is dumb & fuzzy.
😸If you get that joke, you pretty much get me.
🤙🏽🤙🏽🤙🏽🤙🏽🤙🏽🤙🏽🤙🏽🤙🏽
✌🏼Be kind, drink water, touch grass, save the planet, save Democracy, pet cute animals. ✌🏼

@hdm I guess you know this already but for some of your followers:

If you ever need help in the future with vulnerability disclosure and need 3th party to coordinate:

I have very good experience with CERT(s), as long as you don't want any bounty, other forms of "payment" or want your name on each newspaper frontpage for fame those organizations can coordinate the disclosure.

Which is very nice!

I can only speak for @certbund and the Polish CERT but i guess all those kind of organizations will support you.

#vulnerabilitydisclosure

Episode 210: Moving The Goal Posts On Vendor Transparency: A Conversation With Intel’s Suzy Greenberg - In this episode of the podcast, Paul speaks with Intel Vice President Suzy Greenbe... https://feeds.feedblitz.com/~/648714610/0/thesecurityledger~Episode-Moving-The-Goal-Posts-On-Vendor-Transparency-A-Conversation-With-Intel%e2%80%99s-Suzy-Greenberg/ #vulnerabilitydisclosure #vulnerabilityresearch #softwaresupplychain #productassurance #vulnerabilities #cybersecurity #suzygreenberg

Taking a Neighborhood Watch Approach to Retail Cybersecurity - Bugcrowd CTO Casey Ellis covers new cybersecurity challenges for online retailers. https://threatpost.com/neighborhood-watch-retail-cybersecurity/162653/ #vulnerabilitydisclosure #retailcybersecurity #neighborhoodwatch #bugbountyprogram #vulnerabilities #holidayshopping #onlineretailers #infosecinsider #mobilesecurity #amazonprimeday #ethicalhackers #cloudsecurity #cybersecurity #websecurity #caseyellis #bugcrowd #covid-19

Vulnerability Disclosure: Ethical Hackers Seek Best Practices - Cybersecurity researchers Brian Gorenc and Dustin Childs talk about the biggest vulnerability disc... https://threatpost.com/vulnerability-disclosure-ethical-hackers-seek-best-practices/158955/ #vulnerabilitydisclosure #zerodayinitiative #publicdisclosure #vulnerabilities #patchmanagement #bugbounty #microsoft #podcasts #pwn2own #hacks #patch #flaw #iiot #iot #zdi

The Rise of the Open Bug Bounty Project https://thehackernews.com/2020/02/open-bug-bounty-project.html #vulnerabilityassessment #vulnerabilitydisclosure #vulnerabilityreporting #VulnerabilityDatabase #BugBountyProgram #cybersecurity #Vulnerability #bugbounty

Let’s make ransomware MORE illegal, says Maryland - … with a clumsily worded proposed bill that wouldn't protect researchers. more: https://nakedsecurity.sophos.com/2020/01/29/lets-make-ransomware-more-illegal-says-maryland/ #vulnerabilitydisclosure #responsibledisclosure #securitythreats #katiemoussouris #bugdisclosure #legislation #prosecution #researchers #ransomware #disclosure #law&order #dataloss #maryland #malware #bill

Google Ditches Patch-Time Bug Disclosure in Favor of 90-Day Policy - Project Zero vulnerability disclosures will now happen at 90 days, even if a patch becomes availab... more: https://threatpost.com/google-ditches-patch-disclosure-90-day-policy/151626/ #vulnerabilitydisclosure #coordinateddisclosure #vulnerabilities #policychanges #projectzero #bugbounty #90days #google

Google Offers Financial Support to Open Source Projects for Cybersecurity https://thehackernews.com/2019/12/google-open-source-projects.html #vulnerabilitydisclosure #PatchRewardsProgram #opensourceprojects #BugBountyProgram #cybersecurity #cybersecurity #patchupdate #OpenSource #Google