The US DoJ recently released guidance on running vulnerability disclosure programs (aka bug bounties). The document is nothing earth shattering, but does provide some free advice to organizations considering such programs.
Rendition’s advice to organizations considering a bug bounty program? Think VERY carefully about how it will impact your monitoring and detection strategies. People looking for bugs will create noise in your network – a lot of it. And the noise will look like attacks, because technically they ARE attacks. How will you separate this non-malicious attack traffic from real attack traffic you should be concerned about?
Read the full post here.
Rendition’s advice to organizations considering a bug bounty program? Think VERY carefully about how it will impact your monitoring and detection strategies. People looking for bugs will create noise in your network – a lot of it. And the noise will look like attacks, because technically they ARE attacks. How will you separate this non-malicious attack traffic from real attack traffic you should be concerned about?
Read the full post here.
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.