Survey says… Making progress in the Vulnerability Disclosure Debate

Presented at BSidesLV 2016, Aug. 3, 2016, 11 a.m. (85 minutes)

The vulnerability disclosure debate isn't new. But as more vendors realize that they are software vendors, and as DMCA exceptions affect companies that touch citizens around the world, we need to get this right. The US Department of Commerce has sought to bring together important stakeholders, including security researchers and technology vendors to identify common ground and a path forward for better security for everyone. This presentation will share some preliminary observations, and allow the security community to weigh in on this important process.

Presenters:

• Amanda Craig - Senior Cybersecurity Strategist - Microsoft
  Amanda Craig is a Senior Cybersecurity Strategist in Trustworthy Computing's Global Security Strategy and Diplomacy (GSSD) team at Microsoft. As part of GSSD, she focuses on policy issues related to cloud security, cyber risk management, and coordinated vulnerability disclosure, working to address complex global change and to advance trust in the computing ecosystem. She is the co-author of two Microsoft publications, Transforming Government: Cloud policy framework for innovation, security, and resilience and Transforming Government: A cloud assurance program guide. She is also a co-chair of the Awareness and Adoption working group within the U.S. Department of Commerce's National Telecommunications and Information Administration (NTIA) multistakeholder process on vulnerability disclosure. Talk to her about your favorite hiking trail, living in Egypt, future technology predictions, and coordination that achieves change.
• Allan Friedman - Director of Cybersecurity - US Department of Commerce
  Dr. Allan Friedman is the Director of Cybersecurity Initiatives at National Telecommunications and Information Administration in the US Department of Commerce, where he runs multistakeholder processes on issues including IoT and vulnerability disclosure. Prior to joining the Federal government, Friedman was a noted infosec and technology policy researcher at a range of institutions, including Harvard University, the Brookings Institution, and George Washington University. Wearing the hats of both a technologist and a policy scholar, his work spans computer science, public policy and the social sciences, and has addressed a wide range of policy issues, from cryptography to telecommunications. Friedman has over a 15 years of experience in security research, with a particular focus on economic, market, and trade issues. He is the coauthor of Cybersecurity and Cyberwar: What Everyone Needs to Know (Oxford University Press, 2014). Friedman has a Computer Science degree from Swarthmore College, a PhD in Public Policy from Harvard University, and has made his peace with the word "cybersecurity."
• Jen Ellis - VP of community and public affairs - Rapid7
  Jen Ellis is Rapid7's Vice President of Community and Public Affairs. She believes security practitioners are the guardians of Society's trust in technology, and works extensively with security professionals, technology providers/operators, and various Government entities to promote better collaboration. She believes this is our best path to reducing cybercrime and protecting consumers and businesses. To this end, Jen also provides free skills training to security professionals so they can get greater buy-in and achieve more positive security outcomes. She has testified before Congress and spoken at numerous security industry events.

Links:

• https://bsideslv2016.sched.com/event/7aPl/survey-says-making-progress-in-the-vulnerability-disclosure-debate

Similar Presentations:

• Diana Initiative 2023 / Managing Coordinated Vulnerability Disclosure - The Art Of Wrangling Cats
• BSidesLV 2015 / Don’t hate the Disclosure, Hate the Vulnerability: How the government is bringing researchers and vendors together to talk vulnerability disclosure.
• DEF CON 19 (2011) / Is it 0-day or 0-care?