InfoconDB

Presented at LocoMocoSec 2019, April 18, 2019, 2 p.m. (30 minutes)

The Microsoft Security Response Center leads vulnerability response and disclosure for all Microsoft’s products and services – including open source software that Microsoft maintains and products or services that consume OSS. OSS security vulnerabilities usually affect multiple parties and in many cases it is necessary for these parties to come together to coordinate the disclosure to minimize the risk and disruption to end-users (this is usually known as multi-party coordinated disclosure). This talk will present examples in multi-party coordination involving OSS, including coordination related to hardware (e.g., CVE-2018-8897), software (e.g. CVE-2019-5736) and standards/protocol weaknesses (e.g. CVE-2018-5391). We will extract commonalities, challenges, and lessons learned across several scenarios and provide our recommendations on coordinated multi-party response for organizations that are building or improving their product security response programs.

Presenters:

Jorge Lopez - Microsoft
Jorge is a Principal Security PM Manager in the Vulnerability Response and Remediation team of Microsoft’s Security Response Center (MSRC). In this role, he leads a team responsible for intake, handling, and disclosure of security and privacy vulnerabilities in Microsoft’s products and services. Previously, he held other security roles at Microsoft including Security Crisis Lead in the MSRC and in Windows’ security response team. Jorge has led several multi-party coordinated disclosures including for the KRACK wireless issues in 2017 and Spectre & Meltdown in 2018. He started his career in the US Air Force where he piloted a desk.

Multi-party vulnerability response in/with OSS

Presenters:

Links:

Similar Presentations: