HF 2022 - Appel aux conférences

Vos préférences linguistiques ont été sauvées. Nous pensons que nous avons une bonne traduction française, mais si vous rencontrez des problèmes ou des erreurs, veuillez nous contacter !

The good, bad, and ugly of responsible disclosure
30 oct. , 13:30–14:20 (Canada/Eastern), Track 1
Langue: English

As a security researcher, it is a herculean task not to wonder and poke at many of the apps we interact with on a daily basis. Platforms in industries such as banking, education, social media, security, document management, IoT, and healthcare are riddled with security vulnerabilities that go undetected for months or even years. While hackers have the luxury of exploiting these vulnerabilities under the guise of anonymity, white hats and cybersecurity researchers are often faced with resistance or are flat-out ignored when trying to responsible disclose vulnerabilities.
In this talk, I will discuss the pains of responsible disclosure and bug bounty programs and how companies should rethink how they handle disclosed vulnerabilities from researchers. The aim is to bring awareness to often overlooked and misunderstood issues and provide solutions that encourage healthy responsible disclosure interactions.


For the past 3 years, I have conducted several research projects and participated in HackerOne and Bug Crowd programs to identify and responsible disclosure vulnerabilities in everyday applications. Interactions with cyber defense teams have been both positive and negative, including being threatened with legal action, having bugs immediately closed by managed triage teams who do not understand the attack vector or platforms they are responsible for, and having reported vulnerabilities left exposed for months or even years.

The following is a tentative agenda:
- Introduction (5 minutes)
- Responsible Disclosure (15 minutes)
- Why do it?
- How to do it?
- The Criminal Code
- Real life examples (Staples, IOT)
- Bug Bounty Programs (20 minutes)
- The good and bad
- Manage or unmanaged
- Issues with CVSS for criticality
- Real life examples
- Right to disclosure
- Summary of guidance and conclusion (5 minutes)
- Questions (5 minutes)


Est-ce que vous publiez un outil? – non Est-ce que cette présentation a déjà été donnée? – non

Principal & Co-Founder, Proack Security Inc.

Craig is a Principal and Co-Founder of Proack Security Inc. He is an experienced security consultant & researcher who specializes in infrastructure and application penetration testing and threat and vulnerability management. He has extensive experience with mobile testing, specifically API and Android testing. In his spare time, he enjoys finding vulnerabilities in everyday household apps.

Certifications:
- Offensive Security Certified Professional (OSCP)
- Certified Information Systems Security Professional (CISSP)
- GIAC Web Application Penetration Tester (GWAPT)
- Certified Ethical Hacker (CEH)

Autre(s) intervention(s) de l'orateur :