Gamifying Vulnerability Reporting for Coordinated Disclosure at Microsoft Security Response Center

Slide Note
Embed
Share

Christa Anderson, a Senior Security Program Manager at Microsoft's Security Response Center, discusses the importance of gamifying vulnerability report data to encourage coordinated disclosure. The MSRC Top 100, announced at Black Hat USA, plays a crucial role in the public credit strategy by recognizing and rewarding researchers for their contributions. The process involves assessing severity, impact, and crediting reports that enhance security without disclosing vulnerabilities. Various methods such as awareness, bounties, and public acknowledgement are utilized to promote Coordinated Vulnerability Disclosure. The rewarding system factors in severity levels, impact multipliers, and mitigation bypass points to incentivize long-time finders of vulnerabilities affecting multiple products.

buis_an
buis_an Follow

Uploaded on Sep 28, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript

  1. Christa Anderson Senior Security Program Manager, Microsoft Security Response Center Gamifying vulnerability report data to encourage coordinated disclosure: The making and remaking of the MSRC Top 100 1

  2. What is the Microsoft Security Response Center? A little What happens when you report a vulnerability? What is Coordinated Vulnerability Disclosure? background 2

  3. The MSRC encourages CVD in several Awareness of CVD Bounties Public acknowledgement ways The Top 100 announced at Black Hat USA is a key part of our public credit strategy

  4. Researchers really, really respond to the Top 100 Researchers watch this measure closely They notice not only whether they re on the list but what their rank is, how it compares to last year, and where everyone else is 4

  5. Is it actionable? How severe is it? The Top 100 isn t just how many issues someone reported How do we credit reports that improve security but aren t reports of vulnerabilities? What s the security impact? Who gets the credit? 5

  6. You can slice even these few data points in several ways 6

  7. Time period Since 2004 (decay applied every 6 months after 18 months) Cases included Example #1: Most impactful submitters since MSRC established All reported under CVD and either fixed or in development Credited to Report submitter if report acknowledged Severity limits Critical, Important, Moderate (5 -3 -1) Final points (Severity Points * Impact Multiplier) + Mitigation Bypass Points Result Rewards long-time finders with reporting vulnerabilities affecting multiple products. Weights in favor of long-running products/services 7

  8. Time period 12-month period June-June Example #2: Most impactful direct submitters of previous 12 months Cases included Master and duplicate cases fixed in current period Credited to Report submitter if report acknowledged but not aggregated reports from a third party Severity limits Critical, Important, Moderate 5-3-1 scale Final points (Severity Points * Impact Multiplier + Mitigation Bypass Points Result Rewards those who report high-impact and actionable vulnerability directly to Microsoft 8

  9. Time period 12-month period June-June Cases included Example #3: Most impactful submitters of previous 12 months Master and duplicate cases fixed in current period Credited to Acknowledged finder, regardless of whether they reported directly or through a third party Severity limits Critical, Important, Moderate 9-5-1 scale Final points (Severity Points * Impact Multiplier + Mitigation Bypass Points Result Rewards all effort and seeks to give more credit for high-severity issues 9

  10. Sure, repurposing data has problems Values assigned to severity and impact are arbitrary Attribution can be tricky because of the way data is stored Everyday data management/cleanliness issues that pop more given the way it s published Tweaking formulae isn t the solution And the measures aren t complete How do we take into account customer impact? Should we consider report quality? But the real issue is that we need to update the model to drive the behaviors we want. 10

  11. Smooth path to attribution Give people time and information to adjust their behavior Promote products/services where we d like to encourage interest Account for helpful behaviors (e.g., great quality reports) and non-helpful behaviors Account for non-actionable reports How do we use the Top 100 to get higher-impact reports?

  12. How are you using risk data to nudge human behavior? 12

  13. Christa.Anderson@microsoft.com @virtualchrista secure@microsoft.com @msftsecresponse Thank you!

Related


Evolution of Vulnerability Disclosure Practices

Evolution of Vulnerability Disclosure Practices

laytonwh
Understanding the Vulnerability Index for Small Island Developing States

Understanding the Vulnerability Index for Small Island Developing States

evander
Understanding Vulnerability: Meaning, Types, and Factors affecting Vulnerability

Understanding Vulnerability: Meaning, Types, and Factors affecting Vulnerability

james_cameo
Understanding Digital Transformation in the Age of Cybersecurity Insight

Understanding Digital Transformation in the Age of Cybersecurity Insight

kaylen
Understanding Disclosure of Adverse Clinical Events in Healthcare

Understanding Disclosure of Adverse Clinical Events in Healthcare

tawn_9
Impact of Management of Offenders Act on Disclosure Awareness Session

Impact of Management of Offenders Act on Disclosure Awareness Session

brennusk
Understanding Disclosure of Designs under CDR - Key Insights

Understanding Disclosure of Designs under CDR - Key Insights

jaal952
Exploring Microsoft Graph: Accessing Files and Enhancing Microsoft 365 Platform

Exploring Microsoft Graph: Accessing Files and Enhancing Microsoft 365 Platform

madilynn
Understanding Coordinated Entry System (CES) in Homeless Services

Understanding Coordinated Entry System (CES) in Homeless Services

kezia
Understanding Telecom Security Testing: Vulnerability Assessment & Remediation

Understanding Telecom Security Testing: Vulnerability Assessment & Remediation

mia
Coastal Vulnerability Assessment of Curacao, Netherlands Antilles

Coastal Vulnerability Assessment of Curacao, Netherlands Antilles

leir320
National Access Elsewhere Security Oversight Center (NAESOC) Overview

National Access Elsewhere Security Oversight Center (NAESOC) Overview

umair
Microsoft Access: A Comprehensive Overview

Microsoft Access: A Comprehensive Overview

kayla
Deployment of New Technologies: Insights from Microsoft's Internal IT

Deployment of New Technologies: Insights from Microsoft's Internal IT

maue_hna
National Response Center Operations Overview

National Response Center Operations Overview

karol
Expert Security Tips and Hacks for D365FO by Alex Meyer

Expert Security Tips and Hacks for D365FO by Alex Meyer

clancy
Coordinated Spatial Reuse in IEEE 802.11bn Standard

Coordinated Spatial Reuse in IEEE 802.11bn Standard

anayah
Coordinated Beamforming/Null Steering Protocol in IEEE 802.11be

Coordinated Beamforming/Null Steering Protocol in IEEE 802.11be

manners_c
Federal Agencies Guidance on Ethics, Compliance, and Audit Services under NSPM-33

Federal Agencies Guidance on Ethics, Compliance, and Audit Services under NSPM-33

hashim
Detailed Guidance and Requirements for Implementing NSPM-33

Detailed Guidance and Requirements for Implementing NSPM-33

yala599
Disaster Recovery and Incident Response Concepts

Disaster Recovery and Incident Response Concepts

till
UNEP Support for Improving UNCCD Reporting Procedures

UNEP Support for Improving UNCCD Reporting Procedures

valentina
CAMPUS SECURITY AUTHORITY (CSA) TRAINING CAMPUS SECURITY AUTHORITY (CSA) TRAINING

CAMPUS SECURITY AUTHORITY (CSA) TRAINING CAMPUS SECURITY AUTHORITY (CSA) TRAINING

croix
Achieving Microsoft 365 Agency Migration Readiness

Achieving Microsoft 365 Agency Migration Readiness

alistairj

More Related Content

Comparison of Security Features in Microsoft 365 Suites
Comparison of Security Features in Microsoft 365 Suites
Understanding Risk Management in Environmental Geography and Disaster Management
Understanding Risk Management in Environmental Geography and Disaster Management
Comprehensive Guide to Vulnerability Mapping in Election Planning
Comprehensive Guide to Vulnerability Mapping in Election Planning
Vulnerability Mapping (VM).Guidance Plan
Vulnerability Mapping (VM).Guidance Plan
Leveraging Artifact Dependency Graphs for Software Vulnerability Detection
Leveraging Artifact Dependency Graphs for Software Vulnerability Detection
Economic Vulnerability Premium for SIDS - Webinar Insights
Economic Vulnerability Premium for SIDS - Webinar Insights
Understanding Vulnerability and Capacity Issues in Civil Courts
Understanding Vulnerability and Capacity Issues in Civil Courts
Reimagining Vulnerability: Rethinking the Body and Human Dignity
Reimagining Vulnerability: Rethinking the Body and Human Dignity
Understanding Risks and Vulnerability in Risk Assessment
Understanding Risks and Vulnerability in Risk Assessment
Deploying Secure Applications on Azure PaaS
Deploying Secure Applications on Azure PaaS
AEP Enterprise Security Program Overview - June 2021 Update
AEP Enterprise Security Program Overview - June 2021 Update
Understanding Conflict of Interest in ACCME Accredited Activities
Understanding Conflict of Interest in ACCME Accredited Activities
Understanding the Impact of the Insurance Act 2015 on Brokers and Insurers
Understanding the Impact of the Insurance Act 2015 on Brokers and Insurers
Updated Disclosure Rules for Financial Relationships in Continuing Education
Updated Disclosure Rules for Financial Relationships in Continuing Education
Understanding Disability Disclosure in Employment: Practical and Ethical Considerations
Understanding Disability Disclosure in Employment: Practical and Ethical Considerations
Understanding the Capital Budgeting and Disclosure Process
Understanding the Capital Budgeting and Disclosure Process
Example of COI Disclosure Formats in Academic Presentations
Example of COI Disclosure Formats in Academic Presentations
Transparency in Banking: Examining Disclosure and Regulation
Transparency in Banking: Examining Disclosure and Regulation
Charleston County Consolidated 9-1-1 Center Overview
Charleston County Consolidated 9-1-1 Center Overview
Urban Surveillance and Health Reporting System in Bangalore Model
Urban Surveillance and Health Reporting System in Bangalore Model
Understanding Community Lifelines and Core Response Capabilities for Stabilizing Communities
Understanding Community Lifelines and Core Response Capabilities for Stabilizing Communities
Small Company Disclosure Simplification Act: H.R. 4164 Overview
Small Company Disclosure Simplification Act: H.R. 4164 Overview
Understanding Mandatory Reporting for Elder Abuse
Understanding Mandatory Reporting for Elder Abuse
Comprehensive Guide to Penetration Testing Execution Standard (PTES)
Comprehensive Guide to Penetration Testing Execution Standard (PTES)