BCOS Monero Village - The Monero Projects Vulnerability Response Process

Video thumbnail (Frame 0) Video thumbnail (Frame 9545) Video thumbnail (Frame 12166) Video thumbnail (Frame 13247) Video thumbnail (Frame 13793) Video thumbnail (Frame 14419) Video thumbnail (Frame 16506) Video thumbnail (Frame 17404) Video thumbnail (Frame 20511) Video thumbnail (Frame 21081) Video thumbnail (Frame 21620) Video thumbnail (Frame 23253) Video thumbnail (Frame 24636) Video thumbnail (Frame 33166)
Video in TIB AV-Portal: BCOS Monero Village - The Monero Projects Vulnerability Response Process

Formal Metadata

BCOS Monero Village - The Monero Projects Vulnerability Response Process
Title of Series
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
Group action Java applet Code Multiplication sign Decision theory Chaos (cosmogony) Mereology Software bug Mathematics Information security Vulnerability (computing) Collaborationism Email Meta element Flow separation Category of being Message passing Process (computing) Software repository Order (biology) Website Right angle Quicksort Information security Freeware Point (geometry) Trail Implementation Link (knot theory) Dependent and independent variables Image resolution Patch (Unix) Data recovery Numeral (linguistics) Root Internet forum Hacker (term) Computer hardware Traffic reporting Dependent and independent variables Distribution (mathematics) Projective plane Mathematical analysis Total S.A. Incidence algebra Directory service Cartesian coordinate system Cross-site scripting Software Musical ensemble
Area Logical constant Pairwise comparison Thread (computing) Theory of relativity Key (cryptography) Code Multiplication sign Patch (Unix) Bound state Transcodierung Software bug Number Personal digital assistant Hacker (term) Traffic reporting Proxy server
Process (computing) Weight Compilation album Right angle Hacker (term) Drum memory Traffic reporting Descriptive statistics
Proof theory Differenz <Mathematik> Single-precision floating-point format Patch (Unix) Vulnerability (computing)
Group action Process (computing) Software repository Multiplication sign Multitier architecture Process (computing) Vulnerability (computing)
Link (knot theory) Multiplication sign Software developer Hacker (term) Information security Information security Traffic reporting Power (physics)
Proof theory State observer Email Software Hacker (term) Hypermedia Right angle
Logical constant Thread (computing) Personal digital assistant Data recovery Multiplication sign Statement (computer science) Encryption Parameter (computer programming) Traffic reporting Thumbnail
Point (geometry) Web page Link (knot theory) Code Multiplication sign Hidden Markov model Parameter (computer programming) Mereology Computer programming Twitter Software bug Pi Hacker (term) Encryption Implementation Traffic reporting Error message Computing platform Vulnerability (computing) Alpha (investment) Vulnerability (computing) Email Software developer Mathematical analysis Basis <Mathematik> Instance (computer science) Cartesian coordinate system Variable (mathematics) Exploit (computer security) Message passing Process (computing) Software Algebraic closure Personal digital assistant Heuristic
Dependent and independent variables Process (computing) Table (information) Vulnerability (computing)
okay welcome everyone I'm going to discuss maneras vulnerability response process so every project every company every everyone should have some sort of process in response to any vulnerabilities in their software hardware or whatnot why well because you don't want to endanger the end-user and because a lot of the times it's a false positive and I'm sometimes you just need good collaboration needs something to create order and chaos theoretically so this is what Manero does now before I came along there was nothing and there was nothing so I went ahead and took my work from Java ITP Buttered over the Monaro we hacked on it and we essentially came up with this document loosely defined and we essentially follow it but here you can find it at the meta repo that's so github Manero project / meta it's right on the front the root directory and it begins at the preamble essentially saying what this VRP applies to as well as the lovely bounty we have we do supply bounty for all these hackers and we pay exclusively in XMR venero what is that like a Disneyland or something thing going back and forth okay so it code implementation is seen in the narrow project prosit or ease you know these almost pseudo legalese it's I don't think it's legally binding but it's something to keep us all on track so the we know this also applies to research people keep forgetting you know it's not always about the code there's a lot of research and there's a lot of math and there's a lot of moving parts to this and it's all applicable to this process and of course here's here's the thing that you know there's a lot of trust involved we assume that people are not going to exploit this exploit or vulnerability because we're assuming that they're nice enough to come and report it so they're not going to exploit it so we reiterate you know try not to do that trying to abuse it and here's what like people don't get all right the live sites are not in scope so if you want to report some cross-site scripting thing on the forum for the millionth time it's not applicable please don't email please don't hacker on us okay there you go we got bounty and and as I said it's what well a bounty is not eligible to people who do not follow this process and I'll talk about a couple of those people who made a poor decision now covary is currently we follow the currently does not follow this process or hacker one which I'll talk about no bounty available recovery just go to github or email me or or anyone or here on this points of contact for security issues so we got Rick and Luigi for Clyde GUI website and for that Manero Clyde Gio I got neruneru here and of course there's me and we essentially make up the response team so it's a semi trusted or trusted group within the community that handles these reports these incoming things and we dispersed as appropriate we collaborate as appropriate I don't always get credit but I do work with Manero mu and a handful of patches that do make it in Manero but it's part of my job whatever and so here's the next step I mean we get so we get the the message or we get the hacker one report we essentially have been sent in response you know they have two methods to contact us they can use hacker one actor one comm slash Manero or send us an email and there are reasons why I want to get rid of email I'll point that out in the next tab and so here's the per I mean you can just review it yourself and your own free time whole bunch of stuff establish the severity of a vulnerability assuming it is a vulnerability that's what we collaborate on and respond accordingly [Music] and then we have a post release process we're pretty loose about this right now because nothing has been insane there's nothing been incredibly I mean well relatively speaking nothing a CBE worthy if you will if you believe in using CVE we haven't actually done any of that we could I don't know maybe Howard has ideas on that I don't know yeah it's kind of whatever at this point so a that post release and of course bounty is optional you know you can you can do all this and say no thanks I don't want bounty that was one excuse from one person who I'll point out and then it so we go down here it's pretty rough out here we go bounty distribution so so here's our little here's our math for this you know at most you'll receive 10% of each category so 10% of 60 percent of the total bounty amount for high severity bugs and it tears on down below and it's somewhat subjective and we've had no complaints no there's been one complaint but I'll talk about that too so I got to move on to time incident analysis something we'd like to do more of once we start getting some actually more useful reports and not website cross-site scripting etc more collaboration isolating code base auditing which is actually auditing we're kind of it's an ongoing thing with mrl the research lab getting the BP audits done for example but there was nothing actually like exploitable that drove that to happen it's just kind of a you know research thing and the resolutions essentially I just go on are Mineiro and and post what happened and here's a summary and here's the link to hacker one and continuous improvement what can we do to improve the process well you know we need more time to work that out so let's go to hacker 1.com
slash Manero and here's the policy
you'll go to it you want to report something look do not submit see are a CSRF XSS related reports they will be closed is not applicable and I can't tell you how many we get because it's a it's a lot I don't have the number but it's a lot and they don't get it they don't read you don't pay attention so let's check out the activity here are all the reports that were submitted so we got constant time comparison is not always implemented local areas are vulnerable to key timing attacks by yours truly trusted Damon check fails in proxy through our socks etc etc these are actually useful things you know these are actual bugs that can be exploited and we're responsibly disclosed and patched and they receive bounty and you know very happy customers and we're happy they were responsible about it always have bounds blah blah blah blah and this is the problem when this was the first one how many months ago there's 8 months ago yeah this guy wanted a hundred thousand dollars of XMR or he thought he would get it for a one-line patch to pre-alpha code recode 100 thousand at the time I mean that was when an X more like 200 so of course that that kind of trigger me and you can read the thread it's pretty funny but aside from that one case we have all these it was great we have all these reports and you can hear well you know what works a good one there's the tour sucks one there we go so you know reporter
puts a summary description releases affected steps to produce possible solutions hey what's up hey how's it going thanks a lot try this ok we'll try this ok and then it works out and you know send us your address we'll send you money and then they get it so so far so good right I mean there have been problem people though who do not believe in this process we don't have sound I was gonna play some cacciatore on the Sabre dance to go with this you know if you don't know that piece it's the I won't sing it for you but it's fun ok where are we
weights any questions so far any questions yes yes they have to provide the well they have to at least report it and it has to
be verifiable as a vulnerability they don't necessarily have to provide a patch personally I want proof of concept but they can't do that this is me so far like I think this before I don't see a single diff for anything just some ideas on how to resolve it and Manero move goes in and actually provides the patch and then we say thank you give them the bounty now this is based roughly on this amount this is our the
total bounty we have available and from that pool we deduce you know the various percentages per tier which we deem to be low medium or high vulnerabilities and that is a semi defined within this
process where as it is here we go wait no sorry well it's in here I promise it's in here if you see it yeah I'm public yes yes if you go to the meadow repo seems selected ah that's a good question well it's right now it's a static a group of people myself fluffy pony and Luigi and Manero Moo the most trusted most premium we've been around for years we don't screw around we don't have time for that most knowledgeable if you will and there's been zero complaints so far we're always open the ears and comments and the person so we just showed you okay so that's the
total amount we have available okay here's the Security Adviser here's I
told you after we do the reports you know we want to get it out there hey Manero is very active in being responsible and being honest about this happened it happened at this time well we'll just you know this is always this is development you got to take it and move on so here's a summary I just recently did and it has all the links so it's totally open and you know that we're as active as possible and that's on Reddit power Manero and so the
question let's see I wanted to cherry pick some of this is why so the question is why don't you just take emails why are you using hacker 1 isn't that like dangerous isn't I mean what if they're working with the NSA or what have you and that's a really good question has anyone like thought of that question is that across anyone's mind like why are we using hacker 1 anyone ok ok here we go what did I say I know having this very lovely discourse here yes so essentially people they they want to go but if they have to go for that the effort of create an account they'll they they they they hope that people won't publicly see what they're trying to scam for example see if for example if someone emails us saying you know hey I have I found this extreme exploit it's gonna crash the network you have 30 days to give me bounty or I'm gonna destroy the world right they can say it but you know where's the proof first of all but they can also release that for example to the media they can say what Manero this has this huge exploit and I'm just gonna screw them over if they don't pay me yeah that's a bad move and what-have-you but then you have 30 days of wandering and then you have 30 days of speculators what and that is you know how that works out so if we were to force hacker 1 they essentially act as a third party I mean it's intentionally we wanted that third party observation so they can they can say hey no this is this is this is either a real exploit provide that proof of concept or it's not you're full of it this is a scam so that's probably one of the bigger reasons why we don't we prefer hacker 1 over email and I would say get rid of email altogether then various other reasons so I discussed
that now let's talk about a few of the
problem people so these are people that well I think I already pointed out yeah
this one this is the twenty thousand twenty one thousand whatever so that was a problem person but here's here's a here's a case of irresponsible
disclosure our lovely friend fire ice UK I'm sure he's watching this so I guess his argument was okay so I mean I don't really don't want to glorify this guy at all but essentially you can judge for yourself I believe this argument was he
didn't want to report it responsibly because he didn't want bounty well that makes absolutely zero sense because you can just say no thanks on the bounty as I did with the constant time person I'm just like ever I'm paid anyway this is too tricky just whatever fix it but hey that was his argument supposedly and if I'm interpreting his is his statement and of course he cherry picks right cherry picks the one bad report we had were the guy one or two and thousand says it as you know that's the reason cuz these guys are such a holes and there's such evil people I'm so innocent and I'm so I'm just going to publicly disclose this and because I'm elite and you are not so if I mean I haven't followed the thread honestly after oh look someone thumbs down it Oh github oh okay we got an unhappy customer there but this goes on you can read the thread it's resolved its it was resolved so in another case and this is funny this is
what the mrl folks had to deal with was this like a tweet okay that's that's just like very irresponsible because you don't know what can come from the tweet you don't first of all you don't even know if it's applicable secondly you don't know how much damage it can do if any at all there's no discussion there's no it's it's just like this abrasive egos essentially how I'm interpreting it I'm you know look at me look at me look at this and I'm thinking you know this is just everything's going to be broken at any point it's it's just this is how it is it's not a huge deal so let's not make it a big deal let's try to streamline the streamline this so we want to do other things with our lives and I believe this was resolved I'm glad the know there's can clear yes absolutely so they they can clarify further if you want to talk to them so those were just a couple of the bad cases and you saw
some of the good cases I think I mean those are the links I have any questions yes dublicate if any of them I mean we use both emails and hacker one why not hacker one first part of the question before the Mike why do you how do you do with applicants because you have like two entry points to your bug bounty program and why you just don't use only hacker one that's a great question and that's what I want you I want to get rid of that one entry point of email I personally haven't get it done any emails about Cobre but I don't have access to the you know fluffy ponies you know and whatever emails they get I don't know and that's actually kind of cool because although we're a team we're a decentralized team so it's not a hundred percent Chester we're not like a cabal of people working together to you know manipulate things I don't have access to everything they don't have access to everything so that's actually a convenient thing but why don't we do that we haven't fully discussed it yet I would like to remove that point to answer the question okay oh I'm sorry you have how did I do that or what Oh patiently and politely or at this plant I'm just copying pasting you know read the policy and I could close a close report because I know they're not reading the policy duplicates most of the time well no okay I see what you mean okay how they're the only actually the only instance of duplicates or with the recent one that doesn't have to double spend it's the what's the short the short end of it yes yes yeah so a couple of people but it turned out that detail but if you look at the details they weren't actually duplicates so we actually rewarded each researcher on a per issue basis but we haven't found any duplicates of actually useful code the duplicates are all like website cross-site stuff so just close the report okay if you want to discourage email could you post a GP case on the hacker one account and encourage encrypted submissions I'm sorry could you better sure I can't hear anything of him do you want to encourage encrypted submissions on hacker one if you want to get rid of the email contact how would you increase I mean what okay and he'd you page just place like a page PK on the on the hacker one disclosure page the gem sorry I did not like pie poster PGP PGP yeah on the within hacker one yeah yeah just let us closure patron sure sure that would but that would I mean that would assume in you mean within the report yeah if there's a concern that the platforms have been compromised by intelligence and they've got access to the non-public reports well that and that's another thing we're actually assuming that they are compromised were actually in a certain sense hoping the our because that gives us incentive to resolve this quickly hmm else it was a certain legal binding to them if they as a business if they don't follow through with their code that I mean that that was actually one of the threats there but then of course the argument for that is well they can comply with alpha agency they don't have to disclose it okay well you have all these what-ifs so we just have to assume it's compromised and we need to use that to our advantage to prevent scammers and and what not so if we used PGP for example that would essentially be a like email in my opinion we see the reporter could be from anywhere and wherever encrypting something they can't see the message does that make sense so that I think that's why we don't okay okay any other questions okay yeah I'm curious where where does a I guess the pool of your bounty I don't donation-based yes thank you it is entirely donation based we've raised like a lot of bounty from the community just people who want to contribute so they so they give them an error and there's yeah there's no company backing there's no agency backing that I know of it's all paid in the Monaro anywhere so I'm traceable one more question or any more one more question do you actually proactively try to find exploitation attempts or vulnerabilities it wasn't disclosed and what that variability if you have a do you have a proactive approach to discover non-disclosed vulnerabilities that are actively exploited oh okay me personally I'm in a minute that's kind of part of development I mean I'm not sure I'm not sure if I understand the question we were always trying to find these oh you mean like heuristics and analysis and network marketer yeah and yeah oh well that not within this process not yet I mean that's something to think about but that kind of goes to the realm of development and research and this is more of just streamlining of something really simple and reporting essentially okay thank you all very much all right let's give an animal a hand thanks so much for coming up here and if you have any more questions for him he
could be hanging out back at that table and he can be talking about Connery and also this vulnerability response process