The Ethics of Responsible Disclosure panel at last year’s Defcon left a lot of questions out on the table. In today’s climate of data breaches and information leaks, how do we in the infosec community disclose the vulnerabilities we discover responsibly? Who are we responsible to? Can we set a standard practice that is ethical, fair and effective? Should vulnerability researchers have immunity from repercussions of disclosing vulnerabilities that a vendor is non-responsive? What steps can researchers take to get protection from the coercion that occurs during the disclosure process with a vendor? Join us for a continuation of the discussions started at last year’s Defcon.
Panelist: Graeme Neilson, Kai Thompsen, Rodrigo Branco, Mystery Panelist (ask Enno), and Enno Rey
Introductions will be kept to a minimum. Most of the panelist ore well known and for those panelist and moderators that are not as well known I think they would be okay without a lot of attribution anyway. The moderator will kick off the panel by asking open questions that follow up on concepts discussed by the ethics of disclosure panel at Def con. To start the idea that the times have come to consider the idea that it is no longer in the interest of researchers to follow the process widely known as “responsible disclosure.” In deference to Katie’s suggestion at the defcon panel. We will only talk about this process as disclosure. This question will be followed up with the following reasoning, since the market for 0day is matured and nation states are in the business of driving up prices. Isn’t it better just to sell 0day rather than disclose it? Vendors have matured their process to use coercion and threat of legal action to suppress research. (Examples include vendors threating careers of operators of technology and direct threat of prosecution. Anecdotal stories can be spontaneously provided by moderator, audience, or panelist). To keep this discussion fresh and hopefully bring the discussion to an actionable conclusion. The moderator, after letting panelist and audience get their feather ruffled over the topic, propose that researchers need to take a more coercion based approach to disclosure with the goal being to either 1) get paid or 2) get shit fixed. Since we all know that shit ain’t never gonna get fixed we might as well find a way to stay out of jail or be branded a troublemaker in social media. This will lead to a discussion about whether it is ethical to sell but also is it ethical to sell to one side of the conflict or to both sides of the conflict.