May 15, 2019 12:45 PM
What are the pluses and minuses of security vulnerability disclosures? What are the recommended ways to disclose vulnerabilities and respond to a vulnerability disclosure? Imagine: Someone just called your organization's switchboard (the only phone number they could find) and declared they had discovered what they think is a serious security problem in your product or service. They said they are planning to publish the information soon, but wanted to call you first. What would your organization do with such advanced notice? On the other side: You are a hard working cyber security researcher that has just uncovered a significant vulnerability in a popular device, either on your own, or for a client, and you are concerned about potential abuse of it. How can responsible disclosure help ensure that the vulnerability is rectified while recognizing your hard work, and without painting you as 'the bad guy'. We'll cover how to deal with vulnerability disclosures from both perspectives, how to use them to mutual advantage as well as key things NOT to do.
Monta Elkins is "Hacker-in-Chief" for FoxGuard Solutions, an ICS patch provider. A security researcher considered by many of his friends the Chuck Norris of ICS Cybersecurity, Rackspace enjoyed his tenure as Security Architect, and Radford University as Information Security Officer. The World's Foremost Cordless Drill Musician/Hacker, Monta has been a speaker at more security conferences than even his enormous ego can remember including: DEFCON, BSIDES, GE Digital Energy, ICSJWG, GridSecCon, ICS CyberSecurity, SANS ICS Summit, and was named Cybersecurity Professional of the Year by EnergySec. In his spare time, the Award Winning Monta created a YouTube channel, solving all the world's technology problems. https://tinyurl.com/y6vpmbw4 Monta is the author of "Defense Against the Dark Arts" hacker classes and SANS instructor. He has served as a guest lecturer for colleges, universities and elsewhere. As a small child, he entertained himself by memorizing Pi -- backwards.