Towards a multi-stakeholder approach to vulnerability disclosure for better security

No ratings

Presented at AtlSecCon 2016 by

Vic Chung

Did Venom, Ashley-Madison data leak, or OPM hack, teach us anything as security professionals? As year(s) go by, we continue to hear high-profile hacks on security headlines. While we can blame technology is evolving and security can never be perfect, we should also ask whether we have approached security properly. In this presentation, I will argue the coordination of vulnerability disclosure remains as a critical area in security for research and development beyond offensive and defensive security techniques. The rise of cloud technologies and Internet of Things provides a complex threat landscape where defensive techniques could be insufficient to mitigate all risks. I will review why current vulnerability disclosure and disclosure capability practices and models are insufficient to lead to better security. I will suggest a forward-looking strategy to extend beyond responsible disclosure is required to handle the complicated technology ‘eco-system’ we are in today. I will show you cross-disciplinary tools, techniques, and a practical model of collaboration and coordination around vulnerability disclosures with hackers, vendors, security researchers, and customers alike as a novel approach to build better security.