HF 2022 - Call for Papers

The good, bad, and ugly of responsible disclosure
2022-10-30, 13:30–14:20, Track 1

As a security researcher, it is a herculean task not to wonder and poke at many of the apps we interact with on a daily basis. Platforms in industries such as banking, education, social media, security, document management, IoT, and healthcare are riddled with security vulnerabilities that go undetected for months or even years. While hackers have the luxury of exploiting these vulnerabilities under the guise of anonymity, white hats and cybersecurity researchers are often faced with resistance or are flat-out ignored when trying to responsible disclose vulnerabilities.
In this talk, I will discuss the pains of responsible disclosure and bug bounty programs and how companies should rethink how they handle disclosed vulnerabilities from researchers. The aim is to bring awareness to often overlooked and misunderstood issues and provide solutions that encourage healthy responsible disclosure interactions.


For the past 3 years, I have conducted several research projects and participated in HackerOne and Bug Crowd programs to identify and responsible disclosure vulnerabilities in everyday applications. Interactions with cyber defense teams have been both positive and negative, including being threatened with legal action, having bugs immediately closed by managed triage teams who do not understand the attack vector or platforms they are responsible for, and having reported vulnerabilities left exposed for months or even years.

The following is a tentative agenda:
- Introduction (5 minutes)
- Responsible Disclosure (15 minutes)
- Why do it?
- How to do it?
- The Criminal Code
- Real life examples (Staples, IOT)
- Bug Bounty Programs (20 minutes)
- The good and bad
- Manage or unmanaged
- Issues with CVSS for criticality
- Real life examples
- Right to disclosure
- Summary of guidance and conclusion (5 minutes)
- Questions (5 minutes)


Are you releasing a tool? – no Was this talk already given? – no