Standards are often force-fed to the industries they govern, but that doesn’t seem to be the case with the latest version of the PCI Data Security Council’s global Data Security Standard (PCI DSS). According to the council, during the three years it took to develop the new standard, more than 200 organizations provided more than 6,000 items of feedback.
“The industry has had unprecedented visibility into, and impact on the development of PCI DSS v4.0,” says PCI SSC executive director Lance Johnson. “Our stakeholders provided substantial, insightful, and diverse input that helped the council effectively advance the development of this version of the PCI Data Security Standard.”
Standards are often force-fed to the industries they govern, but that doesn’t seem to be the case with the latest version of the PCI Data Security Council’s global Data Security Standard (DSS). According to the council, during the three years it took to develop the new standard, more than 200 organizations provided more than 6,000 items of feedback.
“The industry has had unprecedented visibility into, and impact on the development of PCI DSS v4.0,” says PCI SSC executive director Lance Johnson. “Our stakeholders provided substantial, insightful, and diverse input that helped the council effectively advance the development of this version of the PCI Data Security Standard.”
Since its inception in 2020, Zoom’s private bug bounty program has awarded $2.4 million in payments and swag to security researchers, recruiting over 800 ethical hackers via the HackerOne platform. In 2021 alone, it paid $1.8 million to researchers for helping to identify and resolve more than 400 security bugs, with its bounties now ranging from $250 up to $50,000.
Zoom’s average initial response time to bug submissions is under four hours with full triage of reports typically taking less than 48 hours, while bounties are typically paid within 14 days of report submission. The videoconferencing platform’s foray into the bug bounty sphere has brought early success, but how does it calculate ROI for such an undertaking, and what lessons can CISOs learn when it comes to selling bug bounty concepts to senior management?
Multiple OS command injection (CWE-78) vulnerabilities in the command line interface of FortiManager 6.2.7 and below, 6.4.5 and below and all versions of 6.2.x, 6.0.x and 5.6.x, FortiAnalyzer 6.2.7 and below, 6.4.5 and below and all versions of 6.2.x, 6.0.x and 5.6.x, and FortiPortal 5.2.5 and below, 5.3.5 and below and 6.0.4 and below may allow a local authenticated and unprivileged user to execute arbitrary shell commands as root via specifically crafted CLI command parameters.
An improper input validation vulnerability in FortiClient for Linux 6.4.x before 6.4.3, FortiClient for Linux 6.2.x before 6.2.9 may allow an unauthenticated attacker to execute arbitrary code on the host operating system as root via tricking the user into connecting to a network with a malicious name.
Tenable.sc leverages third-party software to help provide underlying functionality. Two of the third-party components (Apache and OpenSSL) were found to contain vulnerabilities, and updated versions have been made available by the providers.
Out of caution, and in line with best practice, Tenable has upgraded the bundled components to address the potential impact of these issues. Tenable.sc Patch 202204.1 updates OpenSSL to version 1.1.1n and Apache to version 2.4.53 to address the identified vulnerabilities.
FinFisher has shut down operations. This is the spyware company whose products were used, among other things, to spy on Turkish and Bahraini political opposition.
Data privacy automation company LightBeam.ai has launched a new AI-powered data privacy automation platform designed to help organizations streamline compliance. LightBeam said its new offering takes an identity-centric approach to allow customers to automate compliance against a patchwork of existing and emerging privacy regulations such as GDPR, CPRA, HIPAA and PCI DSS. The platform will be officially unveiled at the IAPP Global Privacy Summit 2022 in Washington, April 11-13.
