SPECIFICATIONS.md

Cisco Researcher Toolkit - Specification Document

1. Overview This document outlines the specifications for the Cisco Researcher Toolkit, a command-line or web-based utility designed to assist security researchers in identifying, classifying, and reporting vulnerabilities to Cisco's various Bug Bounty and Vulnerability Disclosure Programs (VDPs).

The toolkit's primary purpose is to demystify the submission process by embedding the logic of Cisco's program priorities directly into a simple, interactive tool. It will guide researchers from initial finding to final submission, ensuring their efforts are focused on areas most valuable to Cisco and rewarding for them.

2. Target Audience & Goals Primary Audience: Security researchers of all skill levels, from beginners participating in their first VDP to seasoned professionals working on bug bounties.

Primary Goal: To make the barrier to submit and participate as low as possible by providing a clear, guided process. The tool will help researchers understand what is valuable to the programs and what they can gain in return.

Secondary Goal: To improve the security and quality of Cisco's enterprise and industrial devices by fostering a stronger, more effective relationship with the researcher community.

3. Core Functionality: The Decision Engine The heart of the toolkit is an interactive decision engine that combines two key frameworks: the PIRR Value Framework and the Data Exposure & Reporting Guide.

3.1. The PIRR Value Framework This module helps a researcher evaluate the significance of their finding through a series of questions based on the PIRR framework.

P - Product Impact:

Question 1: "Which Cisco product line does this vulnerability affect?" (e.g., Meraki, Catalyst, Nexus, Industrial IoT, Security Appliance, etc.)

Question 2: "What is the potential impact of this vulnerability?" (e.g., Remote Code Execution (RCE), Privilege Escalation, Data Exposure, Denial of Service (DoS), etc.)

Question 3: "What is the estimated CVSS 3.1 score? (If unsure, the tool can link to a calculator)."

I - Infrastructure Research:

Question 4: "Did you find this vulnerability in a Cisco-owned cloud service/infrastructure (e.g., Meraki Dashboard) or on a customer-deployed device/software?"

Logic: This is a critical branching point. Infrastructure bugs often have a broader impact and may be routed differently than bugs in on-premise hardware.

R - Relationship Building:

This is not a direct question but a guiding principle. The tool will promote this by:

Generating a report template with sections for clear, concise, and reproducible findings.

Providing positive reinforcement and tips for writing high-quality reports.

R - Revenue Risk:

Question 5: "Does this vulnerability pose a direct risk to a business-critical function? (e.g., disrupt network operations, expose sensitive corporate/customer data, allow financial fraud)."

Logic: Findings with clear business impact are prioritized. The tool will flag these for the researcher as likely being of high interest.

3.2. Data Exposure & Reporting Guide Based on the initial finding, this module provides a clear "where to report" directive.

Input: The user selects the type of data exposure they've discovered.

Options:

Hardcoded credentials (API keys, passwords) in a public GitHub repository.

Exposed customer or employee Personally Identifiable Information (PII).

Vulnerability in a live, production Cisco/Meraki system.

Vulnerability in a demo, test, or non-production environment.

A bug that seems to be out-of-scope but is high-impact.

A security issue in a third-party library used by a Cisco product.

Output Logic: Based on the selection and answers from the PIRR module, the tool provides a precise recommendation.

Example 1: Finding: Hardcoded key in GitHub + Product: Meraki -> Recommendation: "This is a high-impact finding. Report this directly to the Cisco Meraki Bug Bounty Program for a potential reward. URL: https://bugcrowd.com/ciscomeraki"

Example 2: Finding: Vulnerability in demo system -> Recommendation: "Vulnerabilities in non-production environments are typically best for the VDP. This helps us secure our platforms and builds your reputation. Report to the Cisco Meraki VDP Pro. URL: https://bugcrowd.com/engagements/cisco-meraki-vdp-pro"

Example 3: Finding: Out-of-scope but high-impact -> Recommendation: "Even if a finding is technically out-of-scope, a high-impact vulnerability may be considered for a discretionary reward. Provide a detailed write-up focusing on the business risk. Submit to the most relevant program and explain your reasoning."

4. Value-Add Features To make the toolkit indispensable, it will include the following features:

analyze_submission_quality:

Functionality: A checklist-based linter for a submission draft. It asks the user yes/no questions:

Is the title clear and concise? (e.g., "RCE in Meraki Dashboard via crafted API call")

Have you included the affected product and version?

Is there a step-by-step Proof of Concept (PoC)?

Is the business impact clearly explained?

Have you included logs, screenshots, or a video?

Output: Provides a "Quality Score" and suggestions for improvement.

suggest_research_areas:

Functionality: An intelligent research assistant that combines static suggestions, AI-powered brainstorming, and automatic testing methodology detection to help researchers find interesting targets and appropriate testing approaches.

Core Features:

1. Static Suggestions: Includes a list of perennially important areas: API security, cross-tenant data access, hardware-specific attacks (JTAG, UART), supply chain security, and AI/ML security.

2. Smart Methodology Detection: Automatically analyzes research topics and recommends relevant OWASP testing guides:

   • IoT/Hardware keywords → OWASP ISTG
   • Firmware keywords → OWASP FSTM
   • AI/ML keywords → OWASP AI Testing Guide
   • Web/API keywords → OWASP WSTG

3. Enhanced AI Prompts: Injects methodology-specific context into AI suggestions:

   • IoT topics: Hardware interface exploitation, firmware analysis, wireless security
   • Firmware topics: Binary analysis, reverse engineering, bootloader security
   • AI topics: Prompt injection, model extraction, bias exploitation, hallucination attacks
   • Web topics: Authentication flaws, API security, input validation

4. Contextual Learning: Provides direct links to relevant sections of detected testing methodologies.

AI Security Testing Examples:

• "Cisco AI Assistant" → Prompt injection attacks, conversation boundary bypasses
• "AI Canvas model" → Training data extraction, model poisoning, adversarial inputs
• "LLM vulnerabilities" → Jailbreaking techniques, hallucination exploitation

Output Format: Displays recommended methodologies, AI-generated attack vectors, and contextual learning resources in a structured format for both CLI and web interfaces.

testing_guides:

Functionality: A comprehensive module that provides direct links to industry-standard testing methodologies with intelligent integration into the research suggester.

Content:

OWASP IoT Testing Guide (ISTG): https://owasp.org/owasp-istg/

OWASP Firmware Security Testing Methodology (FSTM): https://github.com/scriptingxss/owasp-fstm

OWASP AI Testing Guide: https://github.com/OWASP/www-project-ai-testing-guide

OWASP Web Security Testing Guide (WSTG): https://owasp.org/www-project-web-security-testing-guide

Enhanced Integration: The testing guides are now intelligently integrated with the research area suggester, automatically recommending appropriate methodologies based on research topics and enhancing AI prompts with methodology-specific attack vectors.

5. User Interface (UI/UX) The tool should be available in one of two forms, with the logic being reusable for both.

Option A: Command-Line Interface (CLI)

Technology: Python.

Interaction: An interactive wizard using a library like questionary or rich for a clean, color-coded experience.

Output: Text-based, with clear headings and clickable links.

Option B: Web Application

Technology: Vanilla HTML, CSS, and JavaScript. No backend required.

Interaction: A single-page application with a clean, responsive form. Questions are revealed progressively.

Styling: Use a utility-first CSS framework like Tailwind CSS to ensure it is clean, modern, and mobile-friendly.

6. Technical Stack (Recommendation) Language: Python 3 (for CLI) or JavaScript (for Web App). Python is recommended for its simplicity in scripting and handling web requests.

Dependencies (Python CLI):

requests: For fetching blog post titles.

beautifulsoup4: For parsing HTML from blogs.

questionary: For the interactive prompt system.

rich: For beautiful, formatted output in the terminal.

Dependencies (Web App):

None required, but Tailwind CSS is recommended for styling.

7. Distribution The tool will be open-sourced and hosted on a public GitHub repository.

It should be packaged for easy installation (e.g., via pip for the Python version).

The repository and a link to the live web tool will be featured in the DEF CON presentation and linked from Cisco's Bugcrowd program pages.