Red teaming Sense? Bug bounty?

security

#1

In a forum like this, I’d be surprised if there are not other folks like me, wondering the same thing.

I have the privilege of being able to attend one cyber security conference or another about once a year. As such, I’ve seen a number of presentations about a researcher (or small group) who got a bright idea to try and hack pick-any-device just to see if they could. If you are not in this field, you might be surprised to know that there are companies who treat product security as an afterthought, and thus produce some very vulnerable devices. One of the most recent of these presentations was about hacking police body cameras.

I’m glad to see that Sense has taken some appropriate steps toward security. Also, I’ve just accepted that nothing I own is secure, so I sleep easily at night anyway. I think though there are some interesting questions, and possibly some folks in the community with knowledge to answer/postulate, so let’s see where this topic takes us.

Hypothetically, of course, unless someone at Sense wants a good presentation for a security conference presentation…

  • Could a red team exercise or a bug bounty be worthwhile (the point of both are to find and responsibly disclose vulnerabilities so they can be fixed)
  • What are the possible attack vectors?
  • What could an adversary do with a relevant vulnerability?

On a related point, does Sense have a team/individual responsible for device/data/comms security?


#2

@jamesroxford
I’m surprised there aren’t many responders to this, it’s such a great idea for those that have the knowledge and means.
Sense is currently on the “big bounty” list at


And here is Senses page about vulnerabilities
https://sense.com/vulnerability.html
Also there email
Vulnerability@sense.com

They don’t offer any award or compensation but do promise no legal action


#3

@samwooly1, I almost just tagged you in my original post based on all your other content I’ve seen in this forum. :smiley:

I wasn’t aware of bugcrowd or a “big bounty” list. I tried to find the bounty on their site, but maybe I have to sign up first?

I have neither the knowledge, nor means, but I’d love to see a presentation on the Sense bounty at my next conference I attend! Is it possible to make an interesting presentation out of “yep, turns out it’s a fairly secure product…”? :man_shrugging:


#4

I only posted this last night, so hopefully it will get some traffic from other members.


#5

I’m pretty vocal and very new to forums, I’m learning the ropes.
Your topic here sure got my attention. I’m not only following it but I’ve bookmarked it so I’ll remember to keep an eye on it.
I’m not sure if Sense offers an actual bounty or not. I’m not a member there either and where I’m not knowledgeable enough, probably won’t sign up.
My feelings about security is there is no such thing as 100% secure and every piece of software is vulnerable.
I’m sure there are some real “power users” here with the capabilities to investigate.


#6

Yep. This describes me exactly.