This talk is about the introduction of Wooyun.
WooYun is a platform where security researchers report vulnerabilities and vendors give feedbacks. While WooYun follows vulnerabilities, it also provides researchers a platform for public interests, study, communication, and research.I will introduce how WooYun works and why we start this project in my presentation, also what WooYun changes in the security circle in China, and why, when, where it built, how it developed and the difficulties when developing.
2. 关于我 About Me
• 80sec安全团队创始人
Founder Of 80sec Security Team(ID: 剑心)
• 前百度安全架构师
Former Security Team Leader In Baidu
• 乌云安全社区创始人
Founder Of Wooyun Security Community
3. 关于我 About Me
• 黑客理想主义者
Idealism In Thinking
• 黑客实用主义者
Pragmatism In Hacking
6. 当我们讨论安全时我们在讨论什么
What Are We Talking When We Talk
About Security
• 我们可以破解世界上最安全的汽车
We Can Hack The Safest Car In The World
• 但是我们却无法让人们不用弱口令
But We Can’t Stop People Using Weak Password
7. 我们面对的互联网环境
The Internet Environment We Are Facing
• 数以亿计的用户
Billions of users
• 巨大的用户基础导致同样巨大的黑色产业
Huge Black Industry Based On Huge Amount Of User
8. 我们面对的互联网环境
The Internet Environment We Are Facing
• 短时间爆发增长的企业和应用
The Burst Of Enterprises And Applications
During A Very Short Time
• 先生存再考虑安全
To Survive Before Considering Security
9. • 相对不完善的规范和机制
The Relatively Deficient Of Regulation And
Mechanism
• 安全的合规性大于实际应用
Focus More On Compliance Than Being
Really Secure
我们面对的互联网环境
The Internet Environment We Are Facing
10. • 快速发展的云和新型技术
Rapid Development In Clouds And New
Technologies
• 现在包括家里的锁都已经开始联网
Even Homelock Become Networking
Connected
我们面对的互联网环境
The Internet Environment We Are Facing
11. 如果你是一名白帽子
If You Are A Whitehat
• 你不能获得较高的薪水和较好的职业发
展
You Have No Access To Better Salary And
Career Development
• 企业并不重视安全因为用户并不了解安
全
Enterprises Paid No Attention Given
Customer’s Lack Of Understand
12. 如果你是一名白帽子
If You Are A Whitehat
• 因为商业安全社区缺乏分享和讨论
The Lack Of Share And Discussion In
Commercial Security Community
• 你的伙伴会越来越少但是敌人会越来越
多
More Enemy And Less Friend
13. 如果你是一名白帽子
If You Are A Whitehat
• 你企业的安全状况不会因为你努力而变得更好
The Safety Status Won’t Be Better For Your Hard
Work
• 因为网络环境变得更糟你的敌人更多
More Enemies For Worse Internet Environment
15. 银弹在哪里
Where Is The Silver Bullet
• 我们能用更好的安全技术来解决这些安全
问题么
Can We Solve Those Security Issues Through
Better Security Technologies?
16. • 问题的核心在哪里
What Is The Core Of The Problem?
银弹在哪里
Where Is The Silver Bullet
17. 为什么 The Reason Why
封闭 Closed environment
– 用户(封闭导致看不到真实的问题)
Customers (Too Closed To Notice The Real risk)
– 企业(用户看不到问题可以不投入)
Enterprise ( No Invest In Fields Users Not Notice)
– 行业(信息的不对称可以获得利润)
Industry (Profit From Information Asymmetry )
18. 传统漏洞披露过程
Conventional Process Of
Vulnerability Disclosures
• 漏洞第一时间提交给厂商
Vulnerability Is Submitted To Enterprise At The First Time
• 厂商和修复确认及补丁推送
Enterprise Start To Confirm And fix
• 对外不主动披露任何信息
No Information Will Be Made Public Initiatively
• 可能的商业合作和奖励致谢
Possible Commercial Cooperation And Reward
19. 负责任漏洞披露过程
The Responsible Process Of
Vulnerability Disclosures
• 符合企业自身利益诉求
Conform To Enterprise Own Interest Appeal
• 符合早期信息安全环境
Conform To Early Information Security Environment
20. 变化 Changes
• MS/Adobe/Apple
– 封闭体系 Closed System
– 终端安全 Terminal Security
• Google/Amazon/Apple
– 开放体系 Open System
– 云端安全 Cloud Security
21. 我们希望 Our Expect
开放 Open
– 用户(通过安全信息的公开披露能够了解安全
)
Users ( To Better Know Security Through Information
Pubic Disclosure)
– 企业(用户对安全的关注和了解将使得企业提
高在安全的投入)
– Enterprise ( To Improve Investment In Security
To Meet Users Demand )
– 行业(透明的环境使得产品和技术价值提升)
– Industry ( Transparent Environment Promotes
The Value Of Product And Technology)
22. 负责任漏洞披露过程(乌云版)
Vulnerability Disclosures Process –Wooyun Version
• 漏洞第一时间提交给厂商
Vulnerability Is Submitted To Enterprise At The First Time
• 厂商修复确认及补丁推送
Enterprise Start To Confirm And fix
• 对外公开全部漏洞细节
Vulnerability Details Will Be Shared Publicly
• 重要漏洞会被预警和讨论
High Risk Vulnerability Will Be Warned And Discussed In
The Early Stage
23. 负责任漏洞披露过程(乌云版)
Vulnerability Disclosures Process –Wooyun Version
• 符合现有环境下行业对安全的诉求
Conform To Industry Security Appeal Under Current
Environment
• 符合现在以及未来情况下安全环境
Conform To The Current And Future Safety Environment
24. 乌云生态的核心价值体系
The Core Value System --Wooyun Ecology
• 所有企业可以第一时间修复自己安全问题和了解互联网风险
• All Enterprises Can Fix Their Own Vulnerability And Know
Internet Risk
• 社区和企业可以学习公开的问题细节从而避免更多问题出现
• Enterprises Can Avoid More Potential Problems Through
Learning From Shared Vulnerabilities
• 用户通过公开的问题可以了解到自己数据是否存在潜在风险
• Users May Find Potential Risks Through Disclosed
Information
28. 我们做到的
What We Have Done:
• 10,000+白帽子为互联网报告了100,000+
漏洞
More Than 10,000 White Hats Have Reported
100,000 Vulnerabilities For Internet Industry
29. 我们做到的
What We Have Done:
• 重要安全漏洞发现和修复周期缩短为周甚至
更短
• The Disclosure And Repair Cycle For
Important Security Vulnerability Has
Shortened To Weeks Or Even Shorter
30. 我们做到的
What We Have Done:
• 重要的安全风险用户都会了解并且敦促企业进
行处理
High Risk Users Will Understand And Urge
Enterprises To Repair
31. 我们做到的
What We Have Done:
• 企业更好的认识安全后社区白帽子有更好
的发展
• Whitehats In The Community Have Better
Career Development After Enterprises
Know More About Security
32. 我们做到的
What We Have Done:
• 白帽子+用户+企业+政府形成一个良好
的安全免疫机制
A Healthy Security Immune Mechanism Is
Established :
Whitehats + Users + Enterprises + Government