by clicking on the page. A slider will appear, allowing you to adjust your zoom level. Return to the original size by clicking on the page again.
the page around when zoomed in by dragging it.
the zoom using the slider on the top right.
by clicking on the zoomed-in page.
by entering text in the search field and click on "In This Issue" or "All Issues" to search the current issue or the archive of back issues respectively.
by clicking on thumbnails to select pages, and then press the print button.
this publication and page.
displays a table of sections with thumbnails and descriptions.
displays thumbnails of every page in the issue. Click on a page to jump.
allows you to browse through every available issue.
FCW : November and December 2016
20 November/December 2016 FCW.COM Cybersecurity to executing attacks is not acceptable behavior. Stamos concluded that Facebook should have moved to fix the problems faster and perhaps been more explicit about what it considers to be ethical behavior and what it doesn’t. Many companies that run bug bounty programs provide lists of dos and don’ts. GitHub, for instance, asks researchers not to access its users’ accounts or data, not to launch denial-of-service attacks and not to publicly disclose bugs until they are fixed, among other things. A glance through the community- curated listings of bug bounties and disclosure policies at Bugsheet.com reveals some commonalities among companies when it comes to disclosure policies (i.e., don’t publicly disclose the problem until it has been fixed), but the level of detail provided in the policies varies widely. For example, Uber’s bug bounty policy explicitly states that pay- out amounts are not pinned to the vul- nerability itself but to the severity of the potential impact. “This means, for example, that we will issue a relatively high reward for a vulnerability that has the potential to leak sensitive user data, but that we will issue little to no reward for a vulnerabil- ity that allows an attacker to deface a microsite,” the company’s policy docu- ment states. “When we have our reward meetings, we always ask one question: If a malicious attacker abuses this, how bad off are we? We assume the worst and pay out the bug accordingly.” Although every organization oper- ates in its own way, the International Organization for Standardization and the International Electrotechnical Com- mission offer a comprehensive policy document (with input from Moussouris) that serves as a valuable reference point for vulnerability disclosure processes and policies. The document is num- bered ISO/IEC 29147. ‘Transparency has to be a two-way street’ David Berteau, former assistant secre- tary of Defense for logistics and materiel readiness and now president and CEO of the Professional Services Council, said the Pentagon’s bug program is an “easily supportable concept” and “a laudable idea.” “Both the private-sector companies In indictments filed with district courts in three states, the U.S. government charged that British hacker Lauri Love and his co-conspirators exploited vulnerabilities in Adobe’s ColdFusion web application to steal information from databases at several federal agencies, including the Missile Defense Agency and NASA. The high-profile case illustrated how damaging it can be to leave vulnerabilities unfixed. 1216fcw_016-021.indd 20 11/7/16 11:07 AM
January and February 2017