Security researchers contact organisations letting them know of potential vulnerabilities. Have you ever wondered why you may not be getting a response? Could it be that you were not reporting an actual vulnerability? Did you have a proof of concept? Did you use an email address that you didn't monitor? Before damming the organisation, remember that there are always two sides to every coin.
In this presentation, we want to share the organisational viewpoint. Of course, we value the input of info sec researchers, pointing out vulnerabilities to us, and of course we want to do the right thing. However, this doesn't always go well when the researcher doesn't follow some basic guidelines when submitting a report. Receiving an unsolicited vulnerability disclosure for another organisation is just one of those things that should be avoided.
We will highlight things to avoid when you contact an organisation and provide a cheat sheet of helpful things to include in your vulnerability disclosure.