You have identified a vulnerability and may have developed an exploit. What should you do with it? You might consider going to the vendor, blogging about it, or selling it. There are risks in each of these options. This 20-minute session will cover the legal risks to security researchers involved in publishing or selling information that details the operation of hacks, exploits, vulnerabilities and other techniques. This session will provide practical advice on how to reduce the risk of being on the wrong end of civil and criminal legal action as a result of a publication or sale.
James Denaro (@CipherLaw) is the founder of CipherLaw, a Washington, D.C.-based consultancy and focuses his practice on the legal, technical, and ethical issues faced by innovators in information security. Jim is a frequent speaker and writer on the subject of intellectual property issues in information security and has experience in a wide range of technologies, including intrusion detection and prevention, botnet investigation, malware discovery and remediation, and cryptography. Jim has completed professional coursework at MIT and Stanford in computer security and cryptography. He also holds technical certifications from the Cloud Security Alliance (CCSK) and Cisco Systems (CCENT), and has passed the CISSP examination (pending certification). Before becoming an attorney, Jim spent obscene amounts of time looking at PPC assembly in MacsBug Jim is a registered patent attorney and is admitted to practice in the District of Columbia, California, Maryland, and Virginia. Jim has undergraduate degrees in computer engineering and philosophy and is currently pursuing graduate legal studies in national security at Georgetown. Jim was formerly with the international law firms of Morrison & Foerster and Perkins Coie before founding CipherLaw.