Managing Coordinated Vulnerability Disclosure - The Art Of Wrangling Cats

Presented at Diana Initiative 2023, Aug. 7, 2023, 11 a.m. (30 minutes)

Security researchers around the world are doing a great job reporting security vulnerabilities to affected vendors and companies to help protecting users world-wide. We all enjoy learning the technical details and stories behind the vulnerabilities. However, the process of Coordinated Vulnerability Disclosure (CVD) is not always straightforward as it seemed. When a coordinated vulnerability disclosure involves multiple vulnerability and/or vendors, there are a lot more goes into the disclosure process. The Microsoft Vulnerability Research (MSVR) program has been a part of many different CVDs and we are the middle-man that ensures the disclosure is done responsibly. This talk will present you with some insight into the "invisible" but important portion of the CVD that we don't often see or hear about that involves the case management team that coordinates these disclosures.

Presenters:

• Tina Zhang-Powell - Microsoft
  Tina Zhang-Powell is a Senior Security Program Manager at Microsoft Security Response Center (MSRC) as part of the team that handles all security vulnerabilities that are reported for Microsoft’s product and services. She constantly strives to seek collaborative opportunities and create inclusive professional work environments for all.

Links:

• https://thedianainitiative2023.sched.com/event/1O5ml/managing-coordinated-vulnerability-disclosure-the-art-of-wrangling-cats

Similar Presentations:

• Still Hacking Anyway (SHA2017) / Developments in Coordinated Vulnerability Disclosure: The government is here to help
• May Contain Hackers (MCH2022) / Scanning and reporting vulnerabilities for the whole IPv4 space. How the Dutch Institute for Vulnerability Disclosure scales up Coordinated Vulnerability Disclosure
• DEF CON 10 (2002) / Disclosure: The Mother of All Vulnerabilities