How to Report a Vulnerability

A presentation at JCON EUROPE in June 2023 in Cologne, Germany by Brian Demers

Security Vulnerabilities for Java Developers Brian Demers Open Source Developer BrianDemers bdemers

🐛 🦟 “All software has bugs.” 🐜 @BrianDemers | bdemers 🐞

Topics • What is a Vulnerability • What is Responsible Disclosure • How they are Reported • Learnings from Log4Shell • What you can do for your Projects • Code • Dependencies • Reporting Security Issues @BrianDemers | bdemers IANAL: I Am Not A Lawyer TINLA: This Is Not Legal Advice

Who is this guy? @BrianDemers | bdemers

Developer Productivity Engineering @BrianDemers | bdemers

What is a Vulnerability @BrianDemers | bdemers

Quick Example audible.com/typ/promo?couponValue=1000000.0 @BrianDemers | bdemers

@BrianDemers | bdemers

CVE vs Vulnerability Common Vulnerabilities and Exposures • An ID for Vulnerabilities CVE-2021-44228 <year>-<number> xkcd.com/1957 @BrianDemers | bdemers

(Data from nvd.nist.gov) @BrianDemers | bdemers

Common Vulnerability Scoring System (CVSS) nvd.nist.gov/vuln-metrics/cvss/v3-calculator @BrianDemers | bdemers

Common Weakness Enumeration (CWE) CWE-400: Uncontrolled Resource Consumption CWE-502: Deserialization of Untrusted Data CWE-20: Improper Input Validation Common Platform Enumeration (CPE) cpe:2.3:o:microsoft:windows_xp:-:sp3:::::x86:* cpe:2.3:a:apache:log4j:::::::: org.apache.logging.log4j:log4j-core:2.17.1 @BrianDemers | bdemers

CVEs are Bad? @BrianDemers | bdemers

https://cve.org/ https://nvd.nist.gov/ @BrianDemers | bdemers

The Bad… @BrianDemers | bdemers

Vulnerability Report Timeline Report Fix Disclose Privately Report Issue Patch and Fix Issue Announce the Fix @BrianDemers | bdemers

Responsible Disclosure • Give vendor time to x vulnerability before telling public Full Disclosure Tell public ASAP fi •

(Privately) • NOT on StackOver ow • NOT on an Email list • NOT on an open forum (Slack) • Look for a security mailing list • Check Bugcrowd or HackerOne • If you are worried use an anonymous email account fl @BrianDemers | bdemers

Don’t use a public bug tracker @BrianDemers | bdemers

Don’t use a public bug tracker @BrianDemers | bdemers

• It’s up to the project to x the issue • Open Source project get involved! • Project publishes a patch/ x publicly • The project should give you a timeline of the x fi fi fi @BrianDemers | bdemers

How long to wait? • Google Project Zero - 90 days • Linux Kernel - 2 weeks • HackerOne - 30 days • CERT - 45 days @BrianDemers | bdemers

@BrianDemers | bdemers

• After the x you can disclose the issue. • Blog about it. • Tell your friends you are a security researcher now Or not (some companies reward you $$ for not talking) xkcd.com/1871/ fi •

The ASF Process • A detailed 19 step process • apache.org/security/committers.html

@BrianDemers | bdemers

Log4Shell Timeline Report Disclose Exploit Fix 2021-11-24 2021-11-29 2021-12-01 2021-12-09 Privately Reported Public Commits Exploit out in the wild Public Release Alibaba Cloud Security Team GitHub, Mailing lists, Bug Report, etc. Cloud are’s earliest evidence Maven Central fl @BrianDemers | bdemers

@BrianDemers | bdemers

Dependencies @BrianDemers | bdemers

Your Application Dependencies Your code @BrianDemers | bdemers

Dependencies • Other libraries (Maven Dependencies) • Java JVM • Docker? • Operation System • Virtual Machine? https://xkcd.com/2347/

Automate your Dependency Updates @BrianDemers | bdemers

@BrianDemers | bdemers

Are your dependencies healthy? @BrianDemers | bdemers

End of Life @BrianDemers | bdemers

Rotate your Keys 🗝 ♻ @BrianDemers | bdemers

SBOM @BrianDemers | bdemers

Write less code. @BrianDemers | bdemers

“Friends Don’t Let Friends Build Auth” –Your Friend @BrianDemers | bdemers

Code • Continuous • Static • Audits Integration Analysis / Security Reviews

zaproxy.org @BrianDemers | bdemers

Code Scanning Tools @BrianDemers | bdemers

Vulnerabilities are a fact of life. @BrianDemers | bdemers

Create a GitHub Issues Template

.github/SECURITY.md @BrianDemers | bdemers

securitytxt.org Add a .well-known/security.txt @BrianDemers | bdemers

Bug Bounty Sites @BrianDemers | bdemers

@BrianDemers | bdemers

Thank You! @BrianDemers @BrianDemers | bdemers

Attribution • “xkcd 1938, 1957” are licensed under CC BY-NC 2.5 • Internet Of Shit sticker image from: https://twitter.com/internetofshit • https://intezer.com/wp-content/uploads/2017/08/GoodBAd-1000x475.b197b0.webp • Intel -insider trading image: https://i.kym-cdn.com/photos/images/newsfeed/001/329/141/44f.png • Three people secret image: http://www.notable-quotes.com/f/benjamin_franklin_quote_2.jpg • Secret stamp: cc-by-sa Willscrlt: https://commons.wikimedia.org/wiki/File:Top_secret.png • Questions image: https://veryfunnypics.eu/wp-content/uploads/2014/09/funny-pictures-how-to-avoid-questions.jpg • PGP encryption image: https://static.goanywhere.com/images/products/mft/GoAnywhereMFT_OpenPGPDiagram_web2018.png • CVSS score image: https://www. rst.org/cvss/v3-1/media/dcbbdaef38f7d415ef9ccbd936d48d4e.png • JFK meme: https://img ip.com/i/3si67b • Private sign: https://veryfunnypics.eu/a-private-sign-2/ fi fl @BrianDemers | bdemers

Brian Demers
@bdemers

1 / 50

Ever seen a security-related issue that you felt should be reported? Unsure of how reporting security issue is different than a regular bug? Developers of any level should know how to report a vulnerability.

In this talk, we will talk about what CVEs are, some general vulnerability classifications, look at a few common ways you can report security issues, as well as look at a few common mistakes.

This talk is geared toward non-security professionals.