Explore a comprehensive conference talk that delves into the complex dynamics of vulnerability disclosure, focusing on how the government is facilitating dialogue between researchers and vendors. Learn about the history of vulnerability disclosure, the various stakeholders involved, and the challenges faced by both researchers and vendors. Discover the efforts to establish common ground principles, build trust, and reduce friction in the disclosure process. Gain insights into the evolving market dynamics, the role of public pressure, and the potential impact of software liability. Examine the importance of transparency, civil society involvement, and the need for ongoing conversations between all parties to improve the vulnerability disclosure landscape.
Don't Hate the Disclosure, Hate the Vulnerability - How the Government is Bringing Researchers and Vendors Together to Talk Vulnerability Disclosure
Overview
Syllabus
Intro
Alan Friedman
History
Katie Masseur
More public attention
Dip in the water
The middlemen
The two sides
The researcher side
The heroes
The academics
The knowledge
Slytherin
Everyone is special
Vendors just want money
They want the same thing
Vendors want security
Vendors have different capabilities
Different firms have different abilities
Different firms have different markets
What are the outcomes
Theres no silver bullet
There is no onesizefitsall model
People are looking for different things
Building a set of principles
Magna Carta of Vulnerability Disclosure
How are we going to do that
Finding common ground
Getting things done
Building trust
Building predictability
Reducing friction
Markets evolve
Predictability
Challenges
The US Government
Peer Pressure
Final Bullets
How can you help
Hard question
Mikey Dickerson
A provocative idea
Public pressure moves companies
Software liability
Civil society
Transparency
German Researcher
Companies have gotten worse
Disclosures are getting worse
We have gotten worse in this experience
This conversation has to be with both groups
Taught by
BSidesLV
