It has been 3.5 years since I left the NSA. While working there, I could not publish anything of value. Because of all of the OpSec ingrained in me, I have shied away from publishing my research, findings, and discoveries the past few years. Attending Derbycon 2017 helped to finally break my OpSec shell.
One of the recurring themes I heard throughout the con was, “Share your research and findings with the community”. Additionally, another catalyst for me was @strandjs charge to, “Break everything and write a blog about it”. Although I still have struggles with the balance between “good guy needs to know X” vs “bad guy will know X”, I’ve decided to start publishing everything, by default, unless I have specific concerns. In addition, I plan to back publish everything I’ve been sitting on the past few years.
The other line I’ll be trying to narrow in on is “vulnerability in need of vendor disclosure only” vs “vulnerability in need of a full disclosure process” vs releasing an “attack vector”. That is going to be a challenge for me, especially when it’s vendor specific. My current plan is to give vendors a 7 day warning for “attack vectors” and 30 days for actual vulns.