Posted by Virus Bulletin on Sep 16, 2014
Vulnerability disclosure one of the hottest issues in security.
In the proceedings of the 24th Virus Bulletin conference, the words 'vulnerabilty' and 'vulnerabilities' occur more than 200 times. I think there is no better way to demonstrate how important a topic this is.
Some approach vulnerabilities from a purely defensive point of view: how do we make sure our software detects exploits of vulnerabilities? Or even at a meta level: how do we test such software?
Others are worried about vulnerabilities in the software they develop, while yet another group of people spend their time trying to find such vulnerabilities. To bring these latter two groups together, bug bounties have become an increasingly common way to reward responsible disclosure.
Few know more about bug bounties than Katie Moussouris (@k8em0). While working for Microsoft, she was instrumental in introducing the company's bug bounty programme. In her current role, as Chief Policy Officer at HackerOne, she helps other companies deal with vulnerability response and set up bug bounty programmes, most recently Twitter.
In her keynote 'Choose your own keynote adventure - bounties and standards and vuln disclosure, oh my!', Katie will discuss various elements of vulnerability response. The keynote will be very interactive and she will answer questions both from the VB2014 audience and from Twitter.
Some vulnerabilities, however, are so serious and affect so many that the question of how to reward their discoverers becomes almost irrelevant. The most important thing here is to make sure that those affected have patched before those interested in exploiting the vulnerability learn about it.
How we can make sure this happens smoothly will be the topic of the closing panel 'Vulnerability sharing in the age of Heartbleed'. Chaired by Chester Wisniewski (Sophos), the discussion will be the next in a series of gripping closing panels that will show new attendees why people at VB always stay until the very end.