Scanning and reporting vulnerabilities for the whole IPv4 space. How the Dutch Institute for Vulnerability Disclosure scales up Coordinated Vulnerability Disclosure

Presented at May Contain Hackers (MCH2022), July 23, 2022, 3 p.m. (50 minutes)

The Dutch Institute for Vulnerability Disclosure scans the internet for vulnerabilities and reports these to the people who can fix them. Our researchers will go into some of our recent cases, our board members will describe how we professionalise vulnerability disclosure and why we are allowed to somewhat break laws on computer crime and privacy. The Dutch Institute for Vulnerability Disclosure scans the internet from our own AS (50.559) for vulnerabilities and reports these to the people who can fix them. In this session our board members will describe how we professionalise vulnerability disclosure with an independent foundation, a Code of Conduct, a common identity, a collaboration platform for independent researchers and a CSIRT to report vulnerabilities to owners of vulnerable systems. Our researchers will go into some of our more known cases, ranging from Citrix 2020, to KaseyaVSA and Log4j in 2021 and others which commenced between filing this proposal and the conference. They will demonstrate how to scan, validate data, report to users and how they responded. By doing this, we kind of break several laws on computer crime and privacy protection. Still, we are allowed to as we serve to make the internet more secure. Moreover, we also guide young security researchers to the responsible path of vulnerability disclosure. And we do it Dutch style: open, direct and for free.

Presenters:

• Astrid
  Treasurer, lobbyist and foster parent to many young hackers. She started as sysadmin 20 years ago, but has mostly been politically active since, as Member of Parliament and in numerous NGOs. Her preferred channel is f2f. Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nunc aliquet eleifend dictum. Maecenas eget imperdiet leo, et interdum turpis. Vestibulum quis hendrerit nisl, quis semper augue. Pellentesque quis sagittis ligula. Mauris feugiat viverra est vel vestibulum. Curabitur vehicula condimentum nunc ac rutrum. Cras vestibulum, purus quis congue dignissim, urna leo malesuada purus, nec auctor nulla orci eget odio.
• Chris van 't Hof
  Chris van ’t Hof is an independent researcher, writer and presenter in information technology. With his background in both electrical engineering and sociology, he analyses the interaction between human and electronic networks. His eight book: “Helpful Hackers. How the Dutch do Responsible Disclosure.” His company Tek Tok organises conferences, workshops and IT security training. As Secretary of the Dutch Institute for Vulnerability Disclosure, he helps ethical hackers to clean up the internet for free. He also has his own talk show: Hack Talk.

Links:

• https://program.mch2022.org/mch2021-2020/talk/9LMTLA/

Similar Presentations:

• Diana Initiative 2023 / Managing Coordinated Vulnerability Disclosure - The Art Of Wrangling Cats
• Still Hacking Anyway (SHA2017) / Developments in Coordinated Vulnerability Disclosure: The government is here to help
• DEF CON 10 (2002) / Disclosure: The Mother of All Vulnerabilities