Dragon Tails: Supply-side Security and International Vulnerability Disclosure Law

Presented at DEF CON 30 (2022), Aug. 12, 2022, 6:30 p.m. (20 minutes)

This talk will present a study of the reliance of proprietary and open source software on Chinese vulnerability research. A difficult political environment for Chinese security researchers became acute when a law requiring vulnerability disclosure to government and banning it to all others but the affected vendor took effect in Sept. 2021. No public evaluation of this law's impact has yet been made. This talk will present results of a quantitative analysis on the changing proportion of Chinese-based disclosures to major software products from Google, Microsoft, Apple, and VMWare alongside several major open source packages. The analysis will measure change over time in response to evolving Chinese legislation, significant divergence from data on the allocation of bug bounty rewards, and notable trends in the kinds of disclosed vulnerabilities. The Chinese research community’s prowess is well known, from exploits at the Tianfu Cup to preeminent enterprise labs like Qihoo 360. However, the recent law aiming to give the Chinese government early access to the community’s discoveries—and the government’s apparent willingness to enforce it even on high-profile corporations as seen in its punishment of Alibaba—demand more thorough scrutiny. This talk will address implications for policy and the wider hacker community.

Presenters:

• Trey Herr - Director
  Trey Herr is the director of the Cyber Statecraft Initiative under the Scowcroft Center for Strategy and Security at the Atlantic Council. His team works on cybersecurity and geopolitics including cloud computing, the security of the internet, supply chain policy, cyber effects on the battlefield, and growing a more capable cybersecurity policy workforce. Previously, he was a senior security strategist with Microsoft handling cloud computing and supply chain security policy as well as a fellow with the Belfer Cybersecurity Project at Harvard Kennedy School and a non-resident fellow with the Hoover Institution at Stanford University. He holds a PhD in Political Science and BS in Musical Theatre and Political Science.
• Stewart Scott - Assistant Director
  Stewart Scott is an assistant director with the Cyber Statecraft Initiative under the Scowcroft Center for Strategy and Security at the Atlantic Council. His work there focuses on systems security policy, including software supply chain risk management, federal acquisitions processes, and open source software security. He holds a BA in Public Policy and a minor in Applications of Computing from Princeton University.

Links:

• https://forum.defcon.org/node/241941
• https://infocon.org/cons/DEF CON/DEF CON 30/DEF CON 30 video and slides/DEF CON 30 - Stewart Scott, Trey Herr - Dragon Tails- Supply-Side Security and Intl Vulnerability Disclosure Law.mp4
• https://infocon.org/cons/DEF CON/DEF CON 30/DEF CON 30 video and slides/DEF CON 30 - Stewart Scott, Trey Herr - Dragon Tails- Supply-Side Security and Intl Vulnerability Disclosure Law.srt (subtitles)
• https://www.youtube.com/watch?v=uYTbxNtZ1z4

Similar Presentations:

• Black Hat USA 2022 / (Long) Dragon Tails – Measuring Dependence on International Vulnerability Research
• The Eleventh HOPE (2016) / Chinese Mechanical Locks - Insight into a Hidden World of Locks
• DEF CON 18 (2010) / Balancing the Pwn Trade Deficit