 |
|
|
|
 |
|
||
Stanford Law School Center
for Internet and Society |
|
||
 |
|
||
How does vulnerability disclosure
best promote security? |
|
||
 |
|
||
November 22, 2003 |
|
||
 |
|
||
Stanford
Law School, Stanford, CA, USA [directions] |
|
||
 |
|||
Stanford Law School
CENTER FOR INTERNET AND SOCIETY
Conference on CyberSecurity, Research, and Disclosure
NOVEMBER 22, 2003, STANFORD, CA
Audio Clips
Audio clips from the conference are broken down into four streams: two from the morning sessions, two from the afternoon.
Morning-1 - Morning-2 - Afternoon-1 - Afternoon-2
Background
This conference explores the relationship between computer security, privacy,
and disclosure of information about security vulnerabilities.
September 11th gave new urgency to the debate over whether information
collection and dissemination is dangerous or empowering. One view is
that vulnerability information should be kept secret and out of the hands
of potential criminals and foreign agents. Another view is that the public
needs to be informed about security weaknesses, so that people can take
appropriate precautions and so that there will be a constituency to pressure
for the rapid repair of vulnerabilities. Meanwhile, policy makers struggle
to find a balance between promoting security research, constructive information
sharing, remediation and protecting commercial interests. Industry has
tried to develop "best practices" for reporting and repairing
vulnerabilities, but major disagreements - over how much information
to disclose, to whom, and when - persist.
The federal government has tried to both establish standards for commercial
entities to share information about vulnerabilities and to pass laws to
deter the distribution of information that may enable cyberattacks. However
critics say these initiatives help only a select few, threaten proprietary
information, deter legitimate security research and are overly expensive.
During the course of this day-long conference, featured speakers and participants
will work towards a solution for both industry and government that promotes
computer security and addresses the economic, governmental, and social
issues that arise under current research and reporting practices.
Audience
The relevant audience for this conference includes computer security researchers
and practitioners, computer science academics and professionals, hackers,
policy formulators, software vendors and writers, commercial entities
that use networked computers, consumers, officials charged with increasing
government and national security and security critical infrastructure
including law enforcement and national security officers, consumer rights
advocates and civil libertarians.
