[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

CVE at Black Hat and DEF CON



Anthony Singleton and I represented the CVE program at Black Hat and DEF CON this year. Overall, the trip was successful, as our goals were to present to the DEF CON community about the CVE program, hold a CNA Meet-up during Black Hat, and raise general awareness of CVE at both events.


Anthony and I presented "CVE IDs and How to Get Them" at the Wall of Sheep at DEF CON. We had an attentive and friendly audience of about 50-60 people. We answered a number of questions, and the technical level of our talk was correct for the crowd. We had a few people stick around and ask questions or complement our talk at the end, and CVE stickers were popular. Our presentation can be found here: <http://cve.mitre.org/CVEIDsAndHowToGetThem.pdf>


The CNA Meet-up was a success as well. We had representatives from 13 CNAs from around the world. The conversation was light and friendly, and I took the opportunity to thank them for their participation and assistance. They seemed positive about the CNA program in general. These companies were represented:




Qihoo 360






F5 Networks






During both conferences, Anthony and I talked to dozens of vendors and vulnerability researchers. We answered questions about the program and encouraged everyone to submit CVE requests or join the CNA program. We also talked to researchers about what information is available through CVE and encouraged them to reach out to us to discuss what other metadata may be useful for the community. As usual, I have a stack of business cards that I will go through to keep in communication with these stakeholders.


Based on the presentations and hallway conversations, there continues to be a lot of work going on in the vulnerability research space. Bug bounties were a big topic at Black Hat, and it seems that working with bug bounty programs like HackerOne or BugCrowd will help widen the scope for CVE in an efficient way. I found that the PSIRT function was missing from a number of mid to small-sized vendors I spoke with, which would affect our CNA expansion efforts when it comes to connecting to vendors.


Please let us know if you have any questions.




-Dan and Anthony


Page Last Updated or Reviewed: August 18, 2017