| Channel | Publish Date | Thumbnail & View Count | Download Video |
|---|---|---|---|
 | Publish Date not found |  0 Views |
Security researchers and hackers find vulnerabilities. What responsibility do they have for disclosure? What about the vendors when they learn about the vulnerabilities? And do journalists have to meet the same deadlines?
Check out this post (https://www.linkedin.com/posts/allanalford_ciso-cisos-informationsecurity-activity-6646372457747935233–ttY) to learn more about the discussion that forms the basis of our conversation in this week's episode. The episode is co-hosted by myself, David Spark (https://www.linkedin.com/in/davidspark/) (@dspark (http://twitter.com/) ), producer of the CISO Series (https://cisoseries.com/), and Allan Alford (https://www.linkedin.com/in/allanalford/) (@AllanAlfordinTX (https://twitter.com/AllanAlfordinTX) ). Our guest is Tom Merritt (https://www.linkedin.com/in/tommerritt/) (@acedtect (https://twitter.com/acedtect)), host of the Daily Tech News Show (https://dailytechnewsshow.com/).
Thanks to this week’s podcast sponsor, Qualys.
(https://www.qualys.com/solutions/devops/?utm_sourcecisoseries&utm_mediumvirtual-event&utm_campaigndemand-gen&utm_termdevops-podcast-series-q1-2020&utm_contenttrial&leadsource344569915)
Qualys (https://www.qualys.com/solutions/devops/?utm_sourcecisoseries&utm_mediumvirtual-event&utm_campaigndemand-gen&utm_termdevops-podcast-series-q1-2020&utm_contenttrial&leadsource344569915) is a pioneer and leading provider of cloud-based security and compliance solutions.
In this episode of Defense in Depth you will learn:
• Manufacturers, software companies, researchers, hackers and journalists all play a role in responsible disclosure.
• Vulnerabilities will exist and they will be found. The way companies choose to raise awareness of these issues and inform the public are key elements in the responsible disclosure process.
• While there are CERT guidelines for responsible disclosure (https://www.hackerone.com/blog/Your-TLDR-Summary-of-The-CERT-Guide-to-Coordinated-Vulnerability-Disclosure), there are no real hard and fast rules. There will always be discretionary decisions. But like the doctor's Hippocratic Oath, the goal is to minimize harm.
• You can't disclose a security vulnerability without offering a fix. That opens the door for bad guys to come in and cause chaos.
• There is a long history of vulnerability disclosure, often unexpectedly and maliciously. The trend toward responsible disclosure and bug bounties has given legitimacy to white hat hackers and the process of vulnerability disclosure.
• A member of the audience argued that the term “responsible disclosure” implies a moral judgement. He argued that it should be called “coordinated disclosure.”
• There is still frustration on many sides about how responsible disclosure should be handled. Researchers sometimes argue that they get neither recognition nor payment for it. Companies often feel blackmailed by researchers who want answers on their timelines. And journalists have to weigh the importance and criticality of a security vulnerability. Should they tell people about it even if there is no really good solution yet?
Please take the opportunity to connect with your friends and family and share this video with them if you find it useful.
