InfoconDB

Presented at ShmooCon 2023, Jan. 21, 2023, 4:30 p.m. (30 minutes)

After hours of puzzling over your debugger, decompiler, or pentesting toolkit, you’ve finally cracked it. The security vulnerability you strongly believed was present, almost evaded you, but now, you’ve got proof! You’ve achieved the thrill of finding a vulnerability that, hopefully, no one else on the planet knows exists!

Now the process of vulnerability disclosure can begin. But where do you start? How does this process work? How do you report a vulnerability? To whom? How do you actually get these things called CVE numbers you’ve heard so much about? What do you do if the process falters?

In this talk we will demystify the vulnerability disclosure process by presenting a recently published Open Source Security Foundation (OpenSSF) guide for open source vulnerability finders (“Guidance for Security Researchers to Coordinate Vulnerability Disclosures with OSS Projects”). From tracking down the correct place to disclose to publishing your findings so the wider world can defend themselves adequately. We’ll even discuss that pesky human element that permeates this entire process along the way, too.

Presenters:

Madison Oliver
Madison Oliver (@taladrane) is a senior security analyst at GitHub managing the advisory database curation team. She’s passionate about vulnerability response and disclosure. Her views are enriched by prior experience as a product incident response analyst at GitHub and a vulnerability coordinator at the CERT/CC at the Software Engineering Institute.
Jonathan Leitschuh
Jonathan Leitschuh (@JLLeitschuh) is a Software Engineer and Security Researcher. He is the first ever Dan Kaminsky Fellow. He’s best known for his July 2019 bombshell Zoom 0-day vulnerability disclosure. He’s amongst the top OSS researchers on GitHub by advisory credit. He’s both a GitHub Star and a GitHub Security Ambassador.

Congratulations! You Found a Security Vulnerability in an Open Source Project! Now What?

Presenters:

Similar Presentations: