Survey says… Making progress in the Vulnerability Disclosure Debate

BSidesLV 2016

Presented by: Amanda Craig, Jen Ellis, Allan Friedman
Date: Wednesday August 03, 2016
Time: 11:00 - 12:25
Location: Florentine G
Track: Common Ground

The vulnerability disclosure debate isn't new. But as more vendors realize that they are software vendors, and as DMCA exceptions affect companies that touch citizens around the world, we need to get this right. The US Department of Commerce has sought to bring together important stakeholders, including security researchers and technology vendors to identify common ground and a path forward for better security for everyone. This presentation will share some preliminary observations, and allow the security community to weigh in on this important process.

Jen Ellis

Jen Ellis is the Vice President of Community and Public Affairs at Rapid7, a security data and analytics company. In this role, Jen’s primary focus is on building productive collaboration between those in the security community and those operating outside it. She works extensively with security researchers, technology providers and operators, and various Government entities to help them understand and address cybersecurity challenges. She believes effective collaboration is our only path forward to reducing cybercrime and protecting consumers and businesses. She has testified before Congress and spoken at a number of security industry events including HOPE, SXSW, RSA, Derbycon, Shmoocon, SOURCE, UNITED, and various BSides. Talk to me about Archer, Phineas & Ferb, why British chocolate is so much better than US chocolate, cybersecurity policy, and driving consumer adoption of security practices and awareness.

Allan Friedman

Dr. Allan Friedman is the Director of Cybersecurity Initiatives at National Telecommunications and Information Administration in the US Department of Commerce. Prior to joining the Federal government, Friedman was a noted infosec and technology policy researcher at a range of institutions, including George Washington University, the Brookings Institution, and Harvard University. Wearing the hats of both a technologist and a policy scholar, his work spans computer science, public policy and the social sciences, and has addressed a wide range of policy issues, from cryptography to telecommunications. Friedman has over a decade of experience in security research, with a particular focus on economic, market, and trade issues. He is the coauthor of Cybersecurity and Cyberwar: What Everyone Needs to Know (Oxford University Press, 2014). Friedman has a Computer Science degree from Swarthmore College, a PhD in Public Policy from Harvard University, and has made his peace with the word "cybersecurity.

Amanda Craig

Amanda Craig is a Senior Cybersecurity Strategist in Trustworthy Computing’s Global Security Strategy and Diplomacy (GSSD) team at Microsoft. As part of GSSD, she focuses on policy issues related to cloud security, cyber risk management, and coordinated vulnerability disclosure, working to address complex global change and to advance trust in the computing ecosystem. She is the co-author of two Microsoft publications, Transforming Government: Cloud policy framework for innovation, security, and resilience and Transforming Government: A cloud assurance program guide. She is also a co-chair of the Awareness and Adoption working group within the U.S. Department of Commerce's National Telecommunications and Information Administration (NTIA) multistakeholder process on vulnerability disclosure. Talk to her about your favorite hiking trail, living in Egypt, future technology predictions, and coordination that achieves change.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats