“Responsible Disclosure”
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
“Responsible Disclosure”
What is IT? Where is IT?
“Responsible Disclosure”
“Can you size it?”
Data breaches: Known vs “Prevented”
2014
67,924,685 records
297 breaches made public
2015
153,350,507 records
142 breaches made public
2014
47,229,787 records
18 breaches prevented
2015
225,303,293 records
9 breaches prevented
“Responsible Disclosure” succes rate
Data breaches: Known vs “Prevented”
2014
36,637,117 records
13 breaches prevented
2015
115,100 records
12 breaches prevented
Cost of Data Breaches
What says the “Law”
Responsible Disclosure Guidelines are not above the law..
Dutch Law
German Law
European Law.. with or without kourambiedes
American Law
Dictator’s Law
Mother in Law
Mother Russia
Mother of all messes…? tl;dr
“Thou shall not use Social Media for Responsible Disclosure”
Unless..
Recently, I have seen a large-ish uptick in customers reverse
engineering our code to attempt to find security vulnerabilities in it.
This is why I’ve been writing a lot of letters to customers that start with
“hi, howzit, aloha” but end with “please comply with your license
agreement and stop reverse engineering our code, already.”
Bug bounties
Disclosure programs
“Coordinated vulnerability disclosure”
“Responsible Disclosure”
Best practise for security researchers
“One size does not fit all” - Cultural and local laws
Do your homework
Find the right person to disclose to
Be clear about your goal
Make a good impression (leave your ego at the door)
Qualifying the issue right (carefully choose your words) - using “maybe” and “might” helps
Don’t demand / don’t make threats
Don’t use idioms, write clean and short sentences (that make sence if a translator is used)
“Responsible Disclosure”
Wrap up
Final thoughts...
Questions?
Time to Punch out
Related Documents
