Disclosure DOs, Disclosure DON'Ts: Pragmatic Advice for Security Researchers

Presented at 30C3 (2013), Dec. 28, 2013, 11 p.m. (60 minutes)

This talk will focus on responsible disclosure best and worst practices from both legal and practical perspectives. I'll also focus on usable advice, both positive and negative, and answer any questions the audience has on best practices. You've found a security vulnerability in someone else's product. What now? You want to report your finding so users can protect themselves, or so the vendor can repair their product, or so you as a researcher can give your talk or publish your paper. But how? You don't want to get sued! You don't want to go to jail! You don't want your talk cancelled! You don't want to lose your job! In my role as a lawyer at the EFF on the Coders' Rights Project, I advise security researchers, students, developers, and hackers of all varieties on how to report vulnerabilities. In this talk, I'll share some practical advice that will help the audience navigate the legal, ethical, and practical waters that surround the disclosure of security vulnerabilities. There is no one-size-fits-all approach responsible disclosure; every situation is different. I'll discuss how to make an offer of delayed publication not sound like a blackmail threat, and how to draw the right kind of attention to your talk without bringing too much of the wrong kind of attention with it. Finally, I'll talk about the different kinds of risk that disclosure entails, including the types of legal issues often faced by researchers. Instead of announcing rules that you must follow, I'll focus on a number of practical DOs and DON'Ts to help you minimize the risks involved.

Presenters:

  • Nate Cardozo
    Nate is a Staff Attorney on the Electronic Frontier Foundation’s digital civil liberties team. He works on EFF's Coders' Rights Project where he helps protect programmers and developers engaged in cutting-edge exploration of technology. A former EFF Open Government Legal Fellow, Nate focuses his practice on Coders' Rights, free speech and privacy litigation, as well as continuing to dabble in Freedom of Information Act litigation. Nate is currently working on projects involving automotive privacy, hardware hacking rights, anonymous speech, electronic privacy law reform, and resisting the expansion of the surveillance state. Nate has a B.A. in Anthropology and Politics from the University of California, Santa Cruz and a J.D. from the University of California, Hastings, where he teaches first-year legal writing.

Links: