Version Tomorrow is the first day of the rest of your life
lecture: Developments in Coordinated Vulnerability Disclosure
The government is here to help
There has been much development in recent years on vulnerability disclosure. The Netherlands has taken the lead in 2013 by publishing an official guideline for "Responsible Disclosure".
Since then much has happened, other countries have shown an interest and there is even a (free!) ISO standard on Coordinated Vulnerability Disclosure. In this talk I'll summarise the global developments and explain how and why things have gone as they are.
At the end of this talk I'd also like to have an open discussion and collect feedback on how the Dutch government has handled this and can possibly improve this.
#NetworkSecurity #PhysicalSecurity #DeviceSecurity #Politics
Vulnerability Disclosure has earned its place in security. The trend of full disclosure died in the 90s as realisation set in that writing software really is complex, and not all vendors are at fault for having errors in code.
In the 21st century vulnerability disclosure has become more and more acceptable. The Netherlands is the only country that has official policy on disclosure, but other countries have shown an interest. This can also be seen by the rise in companies that help with vulnerability disclosure, and the large companies that have paid programs, so called bug bounties.
Vulnerability disclosure and incident response has become a recognised practice also in policy making. It played an important role in discussions on export control and dual-use goods in the international Wassenaar Arrangement talks.
Please join me for an open discussion!