Overview
Explore the evolution and current state of coordinated vulnerability disclosure in this 52-minute RSA Conference talk. Delve into new research data highlighting the perspectives of both security researchers and organizations on vulnerability disclosure practices. Learn about clashes between researchers and companies, timeline issues, and changing sentiments in the field. Examine case studies of successful bug bounty programs, including those from Microsoft, Facebook, and the U.S. Department of Defense. Analyze survey results and gain insights into researchers' expectations, the impact of open source, and the phenomenon of "Bug Bounty Botox." Conclude with valuable recommendations for improving coordinated vulnerability disclosure processes. Prerequisite: Familiarity with vulnerability disclosure processes and policies.
Syllabus
Intro
The study
Disclosure without coordination
Timeline issue
Sentiment has changed
When CVD goes mainstream
Microsoft bug bounties
Facebook bug bounty
Hacking the Pentagon
What a Researchers Expect
Bug Bounty Botox
Open Source
Survey Results
Recommendations
Taught by
RSA Conference