Responsible Disclosure Roundtable: You Mad Bro?

Presented at Black Hat USA 2014, Aug. 6, 2014, 5 p.m. (60 minutes)

Finding and communicating vulnerabilities is de rigeur for Black Hat speakers- and experiences vary wildly. For companies being notified, the maturity of their response is on a spectrum- no idea what to do, some have a security@ alias set up, others have a formal management process, others have fully funded bounty programs. Even the simple act of keeping researchers informed on a timely basis and making sure patches actually happen and are rolled out with proper notification is a huge hassle, with or without a bounty. Is it worth it? Managing disclosure is a minefield for both the researcher, and the company being notified. Join us in this session for a live discussion on the pro's and con's of a disclosure program, considerations for both the company and the researcher, and a discussion of the common pitfalls.

Presenters:

• Trey Ford - Rapid7
  Trey Ford is the Global Security Strategist at Rapid7 where he serves as a customer resource, industry and community advocate. Over the last 15 years, Trey ran Black Hat events worldwide as General Manager, and served functions ranging from incident response, product management, PCI QSA and security engineer for a variety for industry leaders including Zynga, McAfee, FishNet Security and WhiteHat Security.

Links:

• https://www.blackhat.com/us-14/roundtables.html#Ford

Similar Presentations:

• DEF CON 10 (2002) / Disclosure: The Mother of All Vulnerabilities
• Still Hacking Anyway (SHA2017) / Developments in Coordinated Vulnerability Disclosure: The government is here to help
• BSides Austin 2016 / If You Can't Beat 'Em, Join 'Em: Tips For Running a Successful Bug Bounty Program