Developments in Coordinated Vulnerability Disclosure: The government is here to help

Presented at Still Hacking Anyway (SHA2017), Aug. 6, 2017, 3:40 p.m. (60 minutes)

There has been much development in recent years on vulnerability disclosure. The Netherlands has taken the lead in 2013 by publishing an official guideline for "Responsible Disclosure". Since then much has happened, other countries have shown an interest and there is even a (free!) ISO standard on Coordinated Vulnerability Disclosure. In this talk I'll summarise the global developments and explain how and why things have gone as they are. At the end of this talk I'd also like to have an open discussion and collect feedback on how the Dutch government has handled this and can possibly improve this. #NetworkSecurity #PhysicalSecurity #DeviceSecurity #Politics Vulnerability Disclosure has earned its place in security. The trend of full disclosure died in the 90s as realisation set in that writing software really is complex, and not all vendors are at fault for having errors in code. In the 21st century vulnerability disclosure has become more and more acceptable. The Netherlands is the only country that has official policy on disclosure, but other countries have shown an interest. This can also be seen by the rise in companies that help with vulnerability disclosure, and the large companies that have paid programs, so called bug bounties. Vulnerability disclosure and incident response has become a recognised practice also in policy making. It played an important role in discussions on export control and dual-use goods in the international Wassenaar Arrangement talks. Please join me for an open discussion!

Presenters:

• 1sand0s
  Jeroen is an academic, hacker, tinkerer and thinker, member of Randomdata. He works at the National Cyber Security Centre, and holds a guest appointment at TUDelft and University of Amsterdam. Jeroen van der Ham received his MSc in Artificial Intelligence from Utrecht University in 2002, his MSc in System and Network Engineering in 2004, and his PhD in 2010, both at the University of Amsterdam, after which he continued his research at the same Network Engineering research group. In 2013 he switched to teaching at the System and Network Engineering Master and focused on security, and especially ethics in security. This led to the founding one of the first ethical committees in a computer science education. Since the beginning of 2015 he works at the National Cyber Security Centre (NCSC) as a security researcher, where he works on Coordinated Vulnerability Disclosure (aka Responsible Disclosure), privacy aspects of incident response and thinks about ethics in cybersecurity.

Links:

• https://program.sha2017.org/events/45.html

Similar Presentations:

• Diana Initiative 2023 / Managing Coordinated Vulnerability Disclosure - The Art Of Wrangling Cats
• DEF CON 30 (2022) / Improving International Vulnerability Disclosure: Why the US and Allies Have to Get Serious
• DEF CON 10 (2002) / Disclosure: The Mother of All Vulnerabilities