Carolina Adaros

Product Security Incident Handler, Bosch PSIRT

Carolina Adaros is an Electronics Engineer with an MSc in Analytics, Risk Analysis and Operational Research. She started her career in the field of Industrial Control and Automation, shifting later to Statistics Process Control, Software Quality Management and Process Improvement and IT Consultancy. After almost a decade of professional experience, she started a PhD in Cybersecurity in 2017, focusing on the continuous monitoring of cyber-risks in the Industrial Internet of Things (IIoT) and Industrial Control Systems (ICS). In 2019 Carolina started to work in the Bosch PSIRT (Product Security and Incident Response Team) in Germany while working on finishing her PhD on a part-time basis.

ABSTRACT

“Challenges of Vulnerability Management and Disclosure Processes in a big organisation – The Bosch PSIRT”

According to research published by the IoT Security Foundation, vulnerability management and disclosure best practices in IoT products are not widely adopted in the industry. This is consistent with the testimony of several security researchers who often cannot find the appropriate channels to report security vulnerabilities that they find in IoT products. It is also not unusual for researchers to receive no acknowledgement for their reports or in some cases even being threatened with legal action instead. Having a dedicated and easy to find channel to report vulnerabilities and well-established processes to manage vulnerability reports is an important aspect to assure a good level of security throughout the entire product lifecycle. However, adopting industry best practices for vulnerability information disclosure is just a first step since there are many challenges associated with the whole vulnerability disclosure process, especially in big and diverse organisations.

In this talk we will see the case of the Bosch Product Security and Incident Response Team (PSIRT). The main topic will be to discuss how we have applied most of the industry best practices on vulnerability responsible disclosure and which have been our main challenges. Our main reference framework is the FIRST.org PSIRT Services Framework. In addition, we have verified our compliance with most of the clauses of ISO/IEC 29147 and the Vulnerability Disclosure Best Practice Guidelines of the IoT Security Foundation. While we are aware that we still have a lot to learn, we also know that we can claim to be among the small percentage of IoT companies that are making a huge effort to “do the right thing” regarding cyber-security. Hence, we believe that we have valuable experiences to share with the cyber-security community.