2/26/2023 0 Comments Ispectrum a disraceIt's why we do what we do it's what makes us different from the bad guys. That's our main message, and we always want to make sure it comes across in the book. We need more people who are using their powers for good. It's worse than that it's a disgrace to our field. I have personally seen companies destroyed by unethical vulnerability disclosures.įar too many people have been hurt by irresponsible cybersecurity professionals, and it's embarrassing. I've personally given companies 60 to 90 days to work through issues before talking about a vulnerability publicly and before I would dare write about it in the book. Out of our own sense of decency and ethics and morals, we would reach out to that company first and let them know. So, for example, say one of our authors were to find a vulnerability in a major software vendor's product. There's nothing in the book that you wouldn't find elsewhere or anything in there that would hurt anyone. We also work hard to ethically disclose vulnerabilities. We wrote this book to support the good guys out there trying to make a difference. We believe in beating the bad guys to the punch by using their techniques to find issues and get them fixed before someone comes around and takes advantage of them. We want to help people, not hurt them, and we never want to do anything that's illegal or that crosses any lines. What does it mean, to you and your Gray Hat Hacking co-authors, to be an ethical hacker?Īllen Harper: The point of Gray Hat Hacking: The Ethical Hacker's Handbook - and the point of being a gray hat hacker - is to use offensive techniques for defensive purposes. Here, Harper discusses the potentially devastating consequences of unethical vulnerability disclosures and why he believes cybersecurity needs more practitioners who use their powers for good.Įditor's note: This interview was lightly edited for length and clarity. " That said, I think it is important for all cyber professionals to recognize that there are lines, to draw those lines for themselves and to hold themselves accountable." "Education is key - informing readers of the different points of view and then letting them make up their own minds," said Allen Harper, lead author of Gray Hat Hacking. The researcher might also withhold proof-of-concept code to avoid giving malicious hackers information on how to exploit the bug. Also known as partial vendor disclosure or responsible disclosure, a coordinated disclosure approach entails some level of cooperation between researchers and vendors.įor example, in a coordinated disclosure, an ethical hacker might wait 60 days to publicly announce a vulnerability, giving the affected vendor time to develop a patch. Coordinated disclosure falls somewhere between full vendor and full public disclosures. Some researchers have also reported resorting to full public disclosure out of frustration with lackluster vendor responses and flawed bug bounty programs. Critics say it makes the public less safe, as vendors and malicious hackers race to beat each other to the punch. Proponents argue this approach better serves users by pressuring vendors to respond quickly to high-risk bugs of which attackers may already be aware. At the other end of the spectrum, full public disclosures involve sharing vulnerability details publicly and in their entirety, whether software vendors have developed patches or not. Critics of this strategy say it fails to hold software companies accountable for patching vulnerabilities in a timely fashion, leaving users at risk and stifling information sharing. In a full vendor disclosure approach, external security researchers agree to disclose vulnerabilities only to relevant vendors to avoid unveiling information that malicious hackers could exploit. According to Gray Hat Hacking: The Ethical Hacker's Handbook, Sixth Edition, common software vulnerability disclosure methods include the following:
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |