To give you the best possible experience, this site uses cookies. Review our Privacy Policy and Terms of Service to learn more. Got it!
Artwork

Security Software Development Tech News Cybersecurity Informationsecurity David Spark Tech News InfoSec CISO CISOSeries
Content provided by David Spark. All podcast content including episodes, graphics, and podcast descriptions are uploaded and provided directly by David Spark or their podcast platform partner. If you believe someone is using your copyrighted work without your permission, you can follow the process outlined here https://player.fm/legal.

Similar to Defense in Depth

Player FM - Podcast App
Go offline with the Player FM app!
Get it on App Store Get it on Google Play

Defense in Depth « »
Responsible Disclosure

25:10
 
Play
Playing
Share
 

MP3Episode home
Manage episode 398858178 series 2478315
Content provided by David Spark. All podcast content including episodes, graphics, and podcast descriptions are uploaded and provided directly by David Spark or their podcast platform partner. If you believe someone is using your copyrighted work without your permission, you can follow the process outlined here https://player.fm/legal.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-responsible-disclosure/)

Security researchers and hackers find vulnerabilities. What's their responsibility in disclosure? What about the vendors when they hear the vulnerabilities? And do journalists have to adhere to the same timelines?

Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest is Tom Merritt (@acedtect), host, Daily Tech News Show.

Thanks to this week’s podcast sponsor, Qualys.

Qualys is a pioneer and leading provider of cloud-based security and compliance solutions.

On this episode of Defense in Depth, you’ll learn:

  • Manufacturers, software companies, researchers, hackers, and journalists all play a role in responsible disclosure.
  • Vulnerabilities will exist, they will be found, and how companies want to be alerted about those issues and inform their public are key elements in the process of responsible disclosure.
  • While there are CERT guidelines for responsible disclosure, there are no real hard and fast rules. There will always be judgement calls involved. But like the doctor's Hippocratic Oath, the goal is to minimize harm.
  • You can't announce a vulnerability without offering a fix. It's opening the door to the bad guys to come in and cause havoc.
  • There is a long history of how vulnerabilities have been disclosed. It often was a surprise and malicious. The trend of responsible disclosure and bug bounties has given rise to the legitimacy of white hat hackers and the process of exposing vulnerabilities.
  • One listener argued that the term "responsible disclosure" implies a moral judgement. He argued that it should be referred to as "coordinated disclosure."
  • There is still frustration on multiple sides with how responsible disclosure should be handled. Researchers sometimes argue they're not getting recognized or paid. Companies often feel extorted by researchers who want answers on their timelines. And journalists have to weigh the importance and criticality of a vulnerability. Should they let people know about it even if there really isn't a good fix yet.

  continue reading

259 episodes

#Security #Software Development #Tech News #Cybersecurity #Informationsecurity #David Spark #Tech #News #InfoSec #CISO #CISOSeries
Artwork

Responsible Disclosure

Defense in Depth

203 subscribers

published

Play Playing
iconShare
 
MP3Episode home
Manage episode 398858178 series 2478315
Content provided by David Spark. All podcast content including episodes, graphics, and podcast descriptions are uploaded and provided directly by David Spark or their podcast platform partner. If you believe someone is using your copyrighted work without your permission, you can follow the process outlined here https://player.fm/legal.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-responsible-disclosure/)

Security researchers and hackers find vulnerabilities. What's their responsibility in disclosure? What about the vendors when they hear the vulnerabilities? And do journalists have to adhere to the same timelines?

Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest is Tom Merritt (@acedtect), host, Daily Tech News Show.

Thanks to this week’s podcast sponsor, Qualys.

Qualys is a pioneer and leading provider of cloud-based security and compliance solutions.

On this episode of Defense in Depth, you’ll learn:

  • Manufacturers, software companies, researchers, hackers, and journalists all play a role in responsible disclosure.
  • Vulnerabilities will exist, they will be found, and how companies want to be alerted about those issues and inform their public are key elements in the process of responsible disclosure.
  • While there are CERT guidelines for responsible disclosure, there are no real hard and fast rules. There will always be judgement calls involved. But like the doctor's Hippocratic Oath, the goal is to minimize harm.
  • You can't announce a vulnerability without offering a fix. It's opening the door to the bad guys to come in and cause havoc.
  • There is a long history of how vulnerabilities have been disclosed. It often was a surprise and malicious. The trend of responsible disclosure and bug bounties has given rise to the legitimacy of white hat hackers and the process of exposing vulnerabilities.
  • One listener argued that the term "responsible disclosure" implies a moral judgement. He argued that it should be referred to as "coordinated disclosure."
  • There is still frustration on multiple sides with how responsible disclosure should be handled. Researchers sometimes argue they're not getting recognized or paid. Companies often feel extorted by researchers who want answers on their timelines. And journalists have to weigh the importance and criticality of a vulnerability. Should they let people know about it even if there really isn't a good fix yet.

  continue reading

259 episodes

#Security #Software Development #Tech News #Cybersecurity #Informationsecurity #David Spark #Tech #News #InfoSec #CISO #CISOSeries

Kaikki jaksot

×
 
Loading …

Welcome to Player FM!

Player FM is scanning the web for high-quality podcasts for you to enjoy right now. It's the best podcast app and works on Android, iPhone, and the web. Signup to sync subscriptions across devices.

 

Similar to Defense in Depth

Listen to 500+ topics
Player FM - Podcast App
Go offline with the Player FM app!
Get it on App Store Get it on Google Play

Quick Reference Guide

Top Podcasts
The Bill Simmons Podcast
PTI
First Take
Marketplace
Comedy of the Week
The Bugle
How Did This Get Made?
Doug Loves Movies
Planet Money
TED Talks Daily
NBC Nightly News with Lester Holt
The World This Hour
Daily Boost Motivation and Coaching
Radiolab
Science Friday
This American Life
Criminal
Sword and Scale
In The Dark
Player FM logo
Help/FAQ | Upgrade | Advertise
Arts|Business|Comedy|Economics|Entertainment|News|Politics|Religion
Science|Soccer|Sports|Storytelling|Technology|True Crime
Copyright 2024 | Sitemap | Privacy Policy | Terms of Service | | Copyright
Episode being played series thumbnail
icon icon
Speed
Series settings
1x
1x
Volume
100%
icon
icon icon
/

View Player FM in...
Player FM
Browser
Chrome
Safari
Firefox