Explore the critical role of empathy in vulnerability disclosure practices for software vendors in this 46-minute LASCON conference talk. Delve into the complexities of security advisories beyond standard templates and process maps, examining how decisions around information sharing, audience understanding, and customer support reflect team values. Learn from a real-world product security advisory case study, including cross-functional team collaboration and decision-making processes. Gain insights into successful practices, lessons learned, and recommendations for future security advisories and response strategies. Discover how empathy can preserve trust and enhance vulnerability disclosure processes, even though it's not explicitly mentioned in ISO 29147 standards.
The Role of Empathy in Vulnerability Disclosure Practices for Software Vendors - 2017
Overview
Syllabus
Intro
Certifications
Good Standards
Product Security Advisory
SelfService Portal
Timeline
Customer Report
Vulnerability triage
Pizza
Patching
Interim release
User personas
Garys needs
No evidence
False positives
Customer remediation
Testing qualification
Vulnerability disclosure playbook
Internal communications
Timing
Customer feedback
The right amount of time and effort
Summary
Conclusion
Questions
Taught by
LASCON
