| Channel | Publish Date | Thumbnail & View Count | Download Video |
|---|---|---|---|
 | Publish Date not found |  0 Views |
## Summary
*Moderator:* Edwin Foudil
*Title:* Navigating the landscape of coordinated vulnerability disclosure
*Category:* SCS2023
*Subcategory:* Regular
*Video:* https://www.youtube.com/watch?v=BcKLMOaV7dQ
*Length:* 25:18
*Contents:* Edwin Foudil discusses the complexities and challenges of Coordinated Vulnerability Disclosure (CVD), emphasizing the importance of a structured process, legal protections, and good relationships with ethical hackers. He outlines the key principles for running a successful CVD program, including establishing points of contact, defining handling processes, and implementing legal safe harbors.
## Keywords
– Coordinated disclosure of security vulnerabilities
– Error bonus
– Legal Safe Harbors
– Security.txt
– Dealing with security vulnerabilities
## Ideas
– Coordinated Vulnerability Disclosure (CVD) often requires complex interactions between ethical hackers and companies and presents challenges including legal issues and concealment of data breaches.
– Building close relationships with hackers, including providing feedback and legal protection, can significantly increase the effectiveness of a CVD program.
– Implementing simple touchpoints such as security.txt can streamline the reporting process and improve response times.
– Creating common response templates and prioritizing vulnerabilities through threat modeling are critical to effective vulnerability management.
– Legal safe harbors are becoming increasingly important to encourage participation in bug bounty and CVD programs.
## Quotes
– /"The whole CVD process cannot work if you do not have at least an initial access point for contact./"
– /"In my opinion, the process is usually best implemented using templates./"
– /"Build a strong relationship with your hackers… get to know Kelly, work with Kelly./"
– /"There is no excuse not to consult your lawyers… to understand what you can do to provide a legal safe harbor for your hackers./"
## Facts
– On average, there are between one and 100 vulnerabilities in every 2,000 lines of code.
– Legal safe harbors are becoming a crucial factor in the bug bounty and CVD areas.
– Swiss companies like Swisscom have started adopting “security.txt” to make it easier to report vulnerabilities.
## Resources
– *Security.txt* – File format used to specify how to contact a company regarding security vulnerabilities.
– *Dr. Mita Lazari* – advocate for legal safe harbors in CVD programs.
## Recommendations
– Adopt security.txt to make it easier for ethical hackers to report vulnerabilities.
– Develop and maintain templates for handling different types of vulnerability reports to streamline the response process.
– Consult legal experts to ensure that your CVD program provides adequate legal protection against hackers.
Please take the opportunity to connect with your friends and family and share this video with them if you find it useful.
