caseyjohnellis - caseyjohnellis

The iOS FaceTime vulnerability: What it means and what you can do to protect yourself

Yesterday news broke that a bug in FaceTime that allows callers to listen to the audio of the person they are calling before that person picks up. Today we learned

How Governments are Running Effective Bug Bounty Programs

If you’re reading this article, statistically speaking your organization might be getting hacked. In the private sector, the Equifax hack and Intel’s processor vulnerabilities took the mainstream media

On disclosure, confidentiality, and norms…

A few weeks ago I was tagged by Art Manion of the CERT Coordination Center (CERT/CC) in a tweet asking about Bugcrowd’s approach to disclosure policy defaults. The

7 years and counting…

In 2012, Bugcrowd set out to create a radical cybersecurity advantage and level the playing field between attackers and defenders. As one of the first steps on that journey, seven

The Future is Now: 2020 Cybersecurity Predictions

How is it 2020 already? We’re in the last month of the decade, and the year that has long held a “futurist bookmark” in people’s minds is now

Election Security 2020: Don’t Let Disinformation Undermine Your Right to Vote

A population that is fearful of interference in ways they might not necessarily understand is more vulnerable to manipulation through disinformation strategies. This is particularly true of election security as

DEF CON Black Hat 2020: Top 10 Tips

While it feels illegal to hang out with your friends right now, the pandemic is no match for the dedicated folks who unite for Black Hat and DEF CON every

NIST SP 800-53 R5 adds Vulnerability Disclosure Programs to Federal Security and Privacy Controls

Earlier this week, the National Institute of Science and Technology (NIST) released Revision 5 of NIST Special Publication (800–53) Guidelines Security and Privacy Controls for Information Systems and Organizations.

Priority One: Insights into Submission and Payment Trends

2020: Chaos is a Ladder As 2020 comes to a close, I’ve started to see summaries of the year pop up, covering lessons learned from the year nobody saw

NIST: Vulnerability Disclosure as a Requirement for Every Organization

What is the NIST Cybersecurity Framework? The NIST Cybersecurity Framework is a set of policies meant to help the private sector in strengthening their cybersecurity readiness and awareness. The framework

thoughtops

[TRANSCRIPT] Titan Talks - Ep 2 - Casey John Ellis with @thecybermentor

I've watched Heath's journey as a education and community powerhouse, and more recently as an entrepreneur with tcm-sec with much interest and respect and was super excited for this conversation.

bugcrowd

On Project Zero's 90+30 vulnerability disclosure policy changes

Google is acknowledging the increasing prevalence of n-day exploitation in the wild, particularly over the past 18 months (e.g. the CISA/NSA memo) have taken their next step in refining how they strike balance between these forces.

bugcrowd

[TRANSCRIPT] Security Research and Disclosure: The Unauthorized Biography - Nullcon March 2021

Title: Security Research and Disclosure: The Unauthorized Biography | Casey John Ellis | Nullcon Conference March 2021

thoughtops

My "office" setup

As WFH was going from novel to normal, the thought occurred to me that "virtual semiotics" was quickly going to become a thing... The equivalent of the how to dress, where to sit, how to speak type advice executives get taught, but for a world which is virtual by default.

vulnerability disclosure

[TRANSCRIPT] Responsible Disclosure Programs with Katie Moussouris & Casey Ellis | 401 Access Denied Ep. 22

Katie Moussouris, Founder & CEO of Luta Security and Casey Ellis, Founder & CTO of Bugcrowd join Joe and Mike to talk all things responsibility disclosure – the good, the bad, and the ugly.

disclose.io

Establishing asset ownership in vulnerability reporting

The thing I see people get wrong most frequently in vulnerability reporting is being able to answer the question of ownership and "where to report my findings." Here are some practical tips for establishing ownership and thereby identifying the appropriate coordinator to contact.

vulnerability disclosure

Modes of Public Vulnerability Disclosure

A proposed taxonomy...Discovery: A finder discovers a vulnerability in an organization.Documentation: The finder generates information about the vulnerability in a vulnerability report.Distribution: The finder then chooses whether

becausemath

A thought re vulnerability research clustering

The fact that insecure software pipelines are exploitable feels a little like the idea that bugs exist in old F/OSS code, or that a chip design might not be 100% perfect. It's almost QED - but in the defensive realm, people weren't looking there.

election security

Krebs Has A Posse Swag on Redbubble

“Krebs has a Posse” stickers/swag are starting to circulate in North America, but I still get asked for them a lot, so here 'tis, in Redbubble store form!

thoughtops

Help! My Social Media has been hacked!

I know you do security stuff with computers and my Twitter/Facebook/Instagram/etc has been hacked! It's posting all kinds of strange stuff that isn't from me. What do I do to stop this???

thoughtops

Outrage is cheap

Outrage is cheap and of fleeting value. Introspection and change are expensive, precious, and resilient... and very easy to miss if everything is the other guy’s fault.

thoughtops

2020 Lernings for Make Benefit Glorious Year of 2021

My family and I are straight-up blessed with how we've fared this year, and I'm incredibly thankful for the myriad of people and things - but whichever way you cut it, 2020 was a dense and challenging year and not one I’d rush to repeat.

disclose.io

[TRANSRIPT] Van Buren v. United States - Oral Argument

The Supreme Court heard oral argument in Van Buren v. United States, a case concerning a statute of the Computer Fraud and Abuse Act (CFAA) and violations of terms of service agreements.

election security

DEF CON endorsed by POTUS!

Great news everyone: After years of steady work and deliberate improvement of relationships and trust between the hacker community and government officials, we've made it to the apex of the American org chart!

Subscribe to caseyjohnellis