How to Disclose an Exploit Without Getting in Trouble

Presented at DEF CON 22 (2014), Aug. 9, 2014, noon (60 minutes)

You have identified a vulnerability and may have developed an exploit. What should you do with it? You might consider going to the vendor, blogging about it, or selling it. There are risks in each of these options. This session will cover the risks to security researchers involved in publishing or selling information that details the operation of hacks, exploits, vulnerabilities and other techniques. This session will provide practical advice on how to reduce the risk of legal action and suggest several approaches to responsible disclosure.

Presenters:

• Tod Beardsley - Engineering Manager, Metasploit project
  Tod Beardsley (@todb) is engineering manager for the open source Metasploit project, as well as one of the core developers on the framework. His background is primarily in intrusion prevention, vulnerability assessment and identification, anti-fraud/anti-phishing countermeasures, penetration testing and compliance auditing, intrusion detection and response, protocol analysis, and host hardening. He is also interested in computer crime forensics and recovery, reverse engineering and binary analysis, steganographic communication channels, and cryptography in general. Tod’s technical specialties include protocol analysis and reverse engineering, intrusion detection and prevention, phishing and online fraud, open source software engineering collaboration, and application vulnerability research and exploitation.
• Jim Denaro - CipherLaw
  Jim Denaro (@CipherLaw) is the founder of CipherLaw, a Washington, D.C.-based consultancy and focuses his practice on the legal, technical, and ethical issues faced by innovators in information security. Jim is a frequent speaker and writer on legal issues in information security and has experience in a wide range of technologies, including intrusion detection and prevention, botnet investigation, malware discovery and remediation, and cryptography. Jim is a regular consultant on responsible disclosure policies and is involved in programs to shield researchers who disclose responsibly. Jim has completed professional coursework at MIT and Stanford in computer security and cryptography. He also holds technical certifications from the Cloud Security Alliance (CCSK) and Cisco Systems (CCENT), and has passed the CISSP examination (pending certification). Before becoming an attorney, Jim spent obscene amounts of time looking at PPC assembly in MacsBug.

Links:

• https://defcon.org/html/defcon-22/dc-22-speakers.html#Denaro
• https://infocon.org/cons/DEF CON/DEF CON 22/DEF CON 22 slides/DEF CON 22 - Hacking Conference Presentation Jim Denaro & Tod Beardsley - How to Disclose an Exploit Without Getting in Trouble - Slides.mp4
• https://infocon.org/cons/DEF CON/DEF CON 22/DEF CON 22 slides/DEF CON 22 - Hacking Conference Presentation Jim Denaro & Tod Beardsley - How to Disclose an Exploit Without Getting in Trouble - Video.mp4
• https://infocon.org/cons/DEF CON/DEF CON 22/DEF CON 22 slides/DEF CON 22 - Hacking Conference Presentation Jim Denaro & Tod Beardsley - How to Disclose an Exploit Without Getting in Trouble - Slides.srt (subtitles)
• https://infocon.org/cons/DEF CON/DEF CON 22/DEF CON 22 video and slides/DEF CON 22 - Jim Denaro & Tod Beardsley - How to Disclose an Exploit Without Getting in Trouble - Video and Slides.mp4 (Video and Slides)
• https://www.youtube.com/watch?v=Y8Cpio6z9qA

Similar Presentations:

• DEF CON 21 (2013) / How to Disclose or Sell an Exploit Without Getting in Trouble
• 30C3 (2013) / Disclosure DOs, Disclosure DON'Ts: Pragmatic Advice for Security Researchers
• DEF CON 24 (2016) / Vulnerabilities 101: How to Launch or Improve Your Vulnerability Research Game