I gave this talk at Codemash 2017, and here are all the resources I mentioned during the talk!
-
Make a keypair - instructions at PGP and You
-
Share it via Keybase or a key server so people can verify it belongs to you
-
Send encrypted emails to a friend for practice. Once you have gpg2 installed:
$ gpg2 ——import recipients-public-key.asc # write the body of your email in message.txt # e = encrypt, a = ascii, r = recipient $ gpg2 -ea -r Recipient message.txt $ pbcopy < message.txt.asc # paste into an email and send! # Copy reply encrypted with your public key # from your email into reply.txt.asc $ pbpaste > reply.txt.asc # d = decrypt $ gpg2 -d reply.txt.asc # enter your password and receive plain text! -
Add contact info + public key to your open source projects for people to report vulnerabilities
-
At work, add a
/securitycontact page
- Bug Hunter's Diary
- Locks and Safes: The construction of locks, 1868
- Scott Culp: It's time to end Information Anarchy, Oct 2001
- Bruce Schneier on The Window of Exposure, Nov 2001
- Katie Moussouris on Microsoft using the words Coordinated Disclosure instead of Responsible Disclosure, July 2010
- Adam Caudill: Responsible Disclosure is Wrong Nov 2015
- howdoireportavuln.com