OpenSSL3 Critical vulnerability: How to fix CVE-2022-3602 and CVE-2022-3786 | Read here  >>

The CyberRisk Summit is back: Join us on Dec 6. as we recap the cyber risk landscape in 2022 | Get free ticket >> 

Product update: Group and deduplicate vulnerabilities with “Vulnerability Clusters” for efficient cyber risk management | Read here  >>

OpenSSL3 Critical vulnerability: How to fix CVE-2022-3602 and CVE-2022-3786 | Read here  >>

The CyberRisk Summit is back: Join us on Dec 6. as we recap the cyber risk landscape in 2022 | Get free ticket >> 

Product update: Group and deduplicate vulnerabilities with “Vulnerability Clusters” for efficient cyber risk management | Read here  >>

Perspectives

Chrome zero-day, DoD bug bounty, and more: first officer's blog - week 8

The latest Chrome zero-day, the DoD's latest bug bounty program, and more. Here are the latest stories from the cyber security world.

Mike Parkin | July 11, 2022

First Officer’s log, Terrestrial date, 20220811. Officer of the Deck reporting.

The ship is back to normal operation and our patrol continues. As a support vessel, we are often in a position to “clean up the mess” discovered, or sometimes instigated, by the ships engaged in First Contact situations. They get all the glory. And that’s OK. They have often earned it, identifying threats like Chrome zero-day vulnerabilities and rogue employees, and blunting incursions when they happen. But without crews like ours making sure all the follow up gets done after than initial attack, the situation behind the lines would be much, much, worse.

We remain, as ever, vigilant.

Everyone wants to play

What happened

Bug Bounty programs are nothing new at this point. What was new was a malware gang recently offering a bug bounty program of their own. Now, not to be outdone, the US Department of Defense has joined the game with their own Bug Bounty program.

Why it matters

While this was a limited duration program run by a 3rd party, HackerOne, it shows that even the DoD can embrace the concept. With recent legislation to protect some “Good intent” research (see earlier 1st Officer’s Log entries), it shows that government and industry can see the value in independent research and is willing to protect, and reward, the folks who do it.

What they said

The news has been met with plenty of responses across the board. Read more.

But, funnily enough...

Bad people do bad things

What happened

An employee of HackerOne was fired for effectively stealing other people’s research and claiming it as their own to collect bug bounties. While stealing other people’s work is, sadly, not unheard of in, well, any field, it’s not often seen in the security research community. HackerOne reacted quickly, severing ties with the offending researcher.

Why it matters

Trust is a Big Thing™ in security research, both between researchers as a community and the organizations that rely on them to help secure their applications. Hopefully, this breach of trust will be a reasonably isolated incident and won’t damage the ecosystem that’s developed. If anything, it will severely damage the reputation of the researcher in question. Hopefully, it will also serve as a reminder that stealing other people’s work is not cool in anyone’s book.

What they said

No misuse of information gets off easy. This was no exception. Read more.

Another Chrome Zero-Day

What happened

Google has released a patch for CVE-2022-2294, which is the fourth Chrome zero-day vulnerability reported this year, and says the vulnerability has been exploited in the wild.

Why it matters

Google Chrome is one of the most popular browsers in the world, and with the proliferation of web applications and cloud applications that rely on browsers for management, zero-day exploits against Chrome, or any of its competitors, can be problematic. Fortunately, Google patched this one quickly and anyone with automatic updates will already be receiving the latest version.

What they said

chrome zero day

Zero days are hot topics. And this one's no different. See what people are saying.


Want to get ahead of the stories? Join the conversations as they happen with the Vulcan Cyber community Slack channel