Adrian Stone, Sr. Director, EA Product Security
Recently we launched our vulnerability Product Security Vulnerability Reporting Program on the EA Security Website. The journey so far has been incredibly rewarding and humbling, and we want to especially thank the researchers in the security community that have joined us to keep our players, games, and infrastructure safe. Working with researchers will continue to be a central tenet as we continue to invest and evolve our approach to securing the gaming ecosystem.
So why am I writing to you now?
We are learning a lot through our interactions with the security research community and investigate each report that we receive. One of the things we’ve learned is that having a way to communicate with the larger security community and our gamers that are interested in security engineering issues is important. As a result, we’ve decided to create a new communication mechanism, the EA Security Blog. We are also working on additional ways to communicate to customers and we will update the blog as those services are made available.
I also have a shameless plug: you guys are awesome, and we are hiring! Our Security teams at EA cover a diverse range of security areas from Enterprise Security protecting EA’s corporate systems from malware attacks and intrusions and Product Security Engineering that ensures EA’s games and online services are secured throughout the development lifecycle. Of course, threats evolve and change over time and for that we have both corporate and product security response teams to deal with emerging threats that affect the company or our players.
In the infancy of our Vulnerability Reporting Program, there are two questions that are nearly always raised, and I’d like to share these here.
1) How does EA determine the security impact?
We use two methods to determine issue severity. The first method is the industry recognized CVSS scoring system. The second is a 4-tiered classification is scale ranging from Critical to Low. The most severe rating, Critical is reserved for issues that require little or no user interaction for the vulnerability to be successfully exploited. With a Critical severity issue, a player or their device might be vulnerable to attack using a default configuration and the issue might be leveraged by a remote attacker without their knowledge. From there we work our way across the remaining three classifications (Important, Moderate, Low) taking into account the barriers an attacker would have to overcome to leverage the vulnerability. In its simplest terms, the more challenges an attacker must overcome to exploit the vulnerability, the lower the severity.
2) How does EA classify the severity for issues that are reported?
For Security Impact ratings the answer is simple: we use the industry recognized STRIDE Security Model. It’s a classification model that clearly enumerates the impact of a vulnerability. When we receive a report of a potential security issue a member of the security team triages as the first step in our investigations process. If the issue meets the bar for additional investigation a security engineer is assigned to work with technology owners within EA to address the issue. As part of the investigation a Security Impact and Severity is assigned.
I’m incredibly excited about what partnering with the community can do to benefit the overall gaming ecosystem. Stay tuned for more.
- A
Adrian Stone