CISA fired most of the people who were helping report KEVs so now they expect us to do it for them.
-
CISA fired most of the people who were helping report KEVs so now they expect us to do it for them. Nope.
-
R relay@relay.infosec.exchange shared this topic
-
CISA fired most of the people who were helping report KEVs so now they expect us to do it for them. Nope.
@cR0w imagine gathering the goodwill from an entire community and then setting it on fire.
-
@cR0w imagine gathering the goodwill from an entire community and then setting it on fire.
@h2onolan These are wild times.
-
CISA fired most of the people who were helping report KEVs so now they expect us to do it for them. Nope.
Even worse, they don't even host the report form. It's through Qualtrics.
CISA KEV Nomination Form
This form allows external users to submit a Common Vulnerabilities and Exposures (CVE) entry for consideration to be added to the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) Catalog. The KEV Catalog highlights vulnerabilities that are actively exploited and pose significant risk to organizations. By nominating a CVE, you help CISA identify and prioritize vulnerabilities that require urgent attention and remediation across critical infrastructure and enterprise environments.
(cisasurvey.gov1.qualtrics.com)
-
CISA fired most of the people who were helping report KEVs so now they expect us to do it for them. Nope.
@cR0w you know, ... whispers "gayint gcna"
-
@cR0w you know, ... whispers "gayint gcna"
@nyanbinary That's way too much work.
-
CISA fired most of the people who were helping report KEVs so now they expect us to do it for them. Nope.
@cR0w LOL US gov infosec is a fucking joke. A few years ago tried to do something for a government HackerOne bounty and even with web hacking being the weakling of my hacking skills (far better and more specialized in DRM reverse engineering, for example) I *nearly* broke into the external access portal of a pretty spicy government system that was within the bounty scope lmao. I did manage to get the page to profusely misbehave on command too. No bounty of course but yeah.... Still showed it was sketchy as hell they were IIRC like one step or server setting away from having to probably paying out 5 figures for a severe vuln report.
-
@cR0w LOL US gov infosec is a fucking joke. A few years ago tried to do something for a government HackerOne bounty and even with web hacking being the weakling of my hacking skills (far better and more specialized in DRM reverse engineering, for example) I *nearly* broke into the external access portal of a pretty spicy government system that was within the bounty scope lmao. I did manage to get the page to profusely misbehave on command too. No bounty of course but yeah.... Still showed it was sketchy as hell they were IIRC like one step or server setting away from having to probably paying out 5 figures for a severe vuln report.
@ABT1181 Good old contractors. And now look how much is Wordpress.
-
@ABT1181 Good old contractors. And now look how much is Wordpress.
@cR0w Lol WordPress needs a lot of care from people with much more web coding skill than me... That shit if you dont set it up right is so easy to compromise regardless of your skill level. Have had a few people use me for security testing in hopes to save a buck on cybersecurity for their sites and they all got pwned by basic holes in under 5 minutes lol. Also abused a WordPress language switcher glitch and one dumb authentication bug to log out the admin of JINR's (Russian version of CERN) public facing web site server 4 years ago from the comfort of a college dorm laundry room using nothing but my cell phone without even being actually logged in to her account in any way. As for the failed attempt at gov bug bounty, my god that was a fully custom stack fuckmess full of terrible security decisions and they simply got lucky that I couldn't quite get shit to report but someone more skilled at web specific stuff than me could likely find a way in lol.
