CANCELLED - How to Build the Immune System for the Internet

Black Hat USA 2016

Presented by: Xiaodun Fang
Date: Thursday August 04, 2016
Time: 09:00 - 09:25
Location: Lagoon K

This talk will not bring any new technical discussion on certain security aspect, but will focus on sharing the experience of trying to build an immune system for the Internet, which involves whitehats, users, enterprises and organizations. WooYun, the unique platform we built to link the immune system, which founded in year 2010, has over 20,000 whitehats. The platform has large influence over East Asia, and delivered nearly 200,000 vulnerabilities to corresponding enterprises and organizations, all of those vulnerabilities are full disclosures. The Internet consists of billons users and huge number of companies. Regular users and companies are facing real attacks every day, but may lack of awareness or the ability to solve them. At the same time, criminals have built all kinds underlying markets to profit from the security exploitation. Is it possible for us to build an immune system for the ecosystem which helping address the current situation? Let's take a look at the current ecosystem first, at the positive side of the ecosystem, there are lots of whitehats who interested in different security fields, and willing to develop their career or earn respect of the community, along with the companies willing to make their online service and products more secure. Those basic willing make build an immune system possible. Conventionally, companies concerned about security do offer a certain path for researchers to report vulnerabilities in their products. Those companies build their own rules of handling and timelines, and may offer possible rewards and acknowledge - but the detailed information of vulnerabilities will not be disclosed.

To build the immune system, we except a more open ecosystem, our matching point is to improve the process of vulnerability disclosure. The major change of WooYun version of process is that the full detailed information about vulnerability will be disclosed to the public after being fixed. By registering an account, companies can directly join the ecosystem and begin to receive related vulnerabilities; this fulfills the needs of the companies which lack a platform to receive and track the status of their own vulnerabilities and also offers a chance for the companies that internally be willing to improve their current vulnerability handling process. Apart from reporting the vulnerabilities in popular software products, whitehats may also report misconfiguration and bad coding in their own online services. Previously, the vulnerability disclosure may only be static view of individual product security, but now, that shared information will be connected as a view to the living Internet security. An obvious advantage of this change is that companies can avoid more potential problems through learning from shared vulnerabilities. To archive the expectation, we built the WooYun platform to connect whitehats and companies. In the recent years, more than 20,000 whitehats and nearly every major enterprise involved in Chinese Internet have joined this platform. By helping the ecosystem become more open, we believe we are helping the community to archive a more secured Internet in future.

Xiaodun Fang

Xiaodun Fang is the Founder of 80sec Security TeamID and the Former SecurityTeam Leader In Baidu. He also founded Wooyun Security Community.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats