The iOS FaceTime vulnerability: What it means and what you can do to protect yourself
Yesterday news broke that a bug in FaceTime that allows callers to listen to the audio of the person they
How Governments are Running Effective Bug Bounty Programs
If you’re reading this article, statistically speaking your organization might be getting hacked. In the private sector, the Equifax
On disclosure, confidentiality, and norms…
A few weeks ago I was tagged by Art Manion of the CERT Coordination Center (CERT/CC) in a tweet
Election Security 2020: Don’t Let Disinformation Undermine Your Right to Vote
A tweet of a voting machine that “looks like” it’s infected by ransomware could be as effective at deterring voter turnout and confidence as the real deal, which is a cost-effective and asymmetric means to manipulate election results.
On Project Zero's 90+30 vulnerability disclosure policy changes
Google is acknowledging the increasing prevalence of n-day exploitation in the wild, particularly over the past 18 months (e.g. the CISA/NSA memo) have taken their next step in refining how they strike balance between these forces.
Security Research and Disclosure: The Unauthorized Biography - Nullcon March 2021
Title: Security Research and Disclosure: The Unauthorized Biography | Casey John Ellis | Nullcon Conference March 2021
NIST: Vulnerability Disclosure as a Requirement for Every Organization
What is the NIST Cybersecurity Framework?
The NIST Cybersecurity Framework is a set of policies meant to help the private
Responsible Disclosure Programs with Katie Moussouris & Casey Ellis | 401 Access Denied Ep. 22
Katie Moussouris, Founder & CEO of Luta Security and Casey Ellis, Founder & CTO of Bugcrowd join Joe and Mike to talk all things responsibility disclosure – the good, the bad, and the ugly.
Modes of Public Vulnerability Disclosure
A proposed taxonomy... Discovery, Documentation, Distribution.
A thought re vulnerability research clustering
The fact that insecure software pipelines are exploitable feels a little like the idea that bugs exist in old F/OSS code, or that a chip design might not be 100% perfect. It's almost QED - but in the defensive realm, people weren't looking there.
