“Responsible Disclosure”
“Can you size it?”
Data breaches: Known vs “Prevented”
2014
67,924,685 records
297 breaches made public
2015
153,350,507 records
142 breaches made public
2014
47,229,787 records
18 breaches prevented
2015
225,303,293 records
9 breaches prevented
“Responsible Disclosure” succes rate
Data breaches: Known vs “Prevented”
2014
36,637,117 records
13 breaches prevented
2015
115,100 records
12 breaches prevented
What says the “Law”
Responsible Disclosure Guidelines are not above the law..
Dutch Law
German Law
European Law.. with or without kourambiedes
American Law
Dictator’s Law
Mother in Law
Mother Russia
Mother of all messes…? tl;dr
Recently, I have seen a large-ish uptick in customers reverse
engineering our code to attempt to find security vulnerabilities in it.
This is why I’ve been writing a lot of letters to customers that start with
“hi, howzit, aloha” but end with “please comply with your license
agreement and stop reverse engineering our code, already.”
“Responsible Disclosure”
Best practise for security researchers
“One size does not fit all” - Cultural and local laws
Do your homework
Find the right person to disclose to
Be clear about your goal
Make a good impression (leave your ego at the door)
Qualifying the issue right (carefully choose your words) - using “maybe” and “might” helps
Don’t demand / don’t make threats
Don’t use idioms, write clean and short sentences (that make sence if a translator is used)