[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

CVE at Black Hat and DEF CON



Folks,

 

Anthony Singleton and I represented the CVE program at Black Hat and DEF CON this year. Overall, the trip was successful, as our goals were to present to the DEF CON community about the CVE program, hold a CNA Meet-up during Black Hat, and raise general awareness of CVE at both events.

 

Anthony and I presented "CVE IDs and How to Get Them" at the Wall of Sheep at DEF CON. We had an attentive and friendly audience of about 50-60 people. We answered a number of questions, and the technical level of our talk was correct for the crowd. We had a few people stick around and ask questions or complement our talk at the end, and CVE stickers were popular. Our presentation can be found here: <http://cve.mitre.org/CVEIDsAndHowToGetThem.pdf>

 

The CNA Meet-up was a success as well. We had representatives from 13 CNAs from around the world. The conversation was light and friendly, and I took the opportunity to thank them for their participation and assistance. They seemed positive about the CNA program in general. These companies were represented:

 

Adobe

Siemens

Qihoo 360

JPCERT/CC

Cisco

Brocade

Juniper

Synology

F5 Networks

Akamai

IBM

HackerOne

Elastic

 

During both conferences, Anthony and I talked to dozens of vendors and vulnerability researchers. We answered questions about the program and encouraged everyone to submit CVE requests or join the CNA program. We also talked to researchers about what information is available through CVE and encouraged them to reach out to us to discuss what other metadata may be useful for the community. As usual, I have a stack of business cards that I will go through to keep in communication with these stakeholders.

 

Based on the presentations and hallway conversations, there continues to be a lot of work going on in the vulnerability research space. Bug bounties were a big topic at Black Hat, and it seems that working with bug bounty programs like HackerOne or BugCrowd will help widen the scope for CVE in an efficient way. I found that the PSIRT function was missing from a number of mid to small-sized vendors I spoke with, which would affect our CNA expansion efforts when it comes to connecting to vendors.

 

Please let us know if you have any questions.

 

Thanks.

 

-Dan and Anthony

 


Page Last Updated or Reviewed: August 18, 2017