CyberSecurity, Research & Disclosure

The goal of this conference is to work towards a consensus, if possible, on responsible disclosure policies by discussing in depth the problems with the current process for vulnerability discovery, reporting and patching, and by learning from previous efforts to create such policies. Even if delegates cannot reach consensus on disclosure practices that promote and further security, we will attempt at least to thoroughly document the various security tradeoffs any disclosure policy or lack of policy entails.

Resolved: The Process is Broken

Currently, vendors rush vulnerable software to market, where it receives rigorous security testing after the fact from independent researchers and paid security consultants. The consultants are often under NDA and have little or no incentive to notify the vendor of flaws; they sell their knowledge directly to clients. The independent researcher hopes to gain employment by obtaining credibility in the community through reporting the flaws he finds. There’s little incentive to report directly to the vendor and wait for a patch. Once a flaw is discovered, the researcher may have trouble finding the proper person to report it to and the vendor may have trouble assessing the seriousness of the problem and getting a patch out on time, or may simply not be motivated to fix the problem in a timely fashion without the threat of public disclosure. Once a patch is issued, a substantial number of system administrators and home users will fail install it, and remain vulnerable.

The conference will address seven separate problems raised by the above scenario:

• Does public disclosure of vulnerabilities motivate the vendor to release more secure software, and if so, does this benefit sufficiently outweigh potential risks that the information will be misused?
• How can independent researchers be adequately compensated for the valuable service they provide to vendors and customers while encouraging responsible reporting?
• Does the commercialization of security information promote security, or should reporting be an academic or governmental function?
• What practices or policies facilitate communication between vendors and researchers. What should the researcher do? What should the vendor do? Should practices differ for small vendors, ISPs or website owners?
• When does disclosure best promote security and minimize exploitations, and how much information should be disclosed at a given point in time, and to whom?
• What policies or practices encourage the installation of patches?
• How can disclosure policies promote computer security? How can we work towards consensus on such a policy? Encourage compliance with the policy? What would the policy include, and what are the security tradeoffs? Is there a role for regulation or government intervention in this area, or are market incentives sufficient?

Each topic will be hosted by a moderator who will briefly introduce the issue. The first commentator will then present a position on the topic, and the second commentator will respond or elaborate. There will be time for a brief rebuttal before the moderator entertains comments and questions from the floor.

When does disclosure best promote security and minimize exploitations, and how much information should be disclosed at a given point in time, and to whom? (BLOGGED)

• Jennifer Granick, Stanford CIS, Moderator
• David Litchfield, NGSSoftware
• Tiina Havana, Department of Electrical and Information Engineering, University of Oulu
• Gerhard Echelbeck, Qualys
  

How can independent researchers be adequately compensated for the valuable service they provide to vendors and customers while encouraging responsible reporting? (BLOGGED)

• Chris Sprigman, Stanford CIS Fellow, Moderator
• Len Sassaman, Anonymizer
• Chris Wysopal, @Stake
  

Does the commercialization of security information promote security, or should reporting be an academic or governmental function? (BLOGGED)

• Chris Sprigman, Stanford CIS Fellow, Moderator
• Shawn Hernan, CERT
• Simple Nomad, NMRC
• Sunil James, iDEFENSE
  

What practices or policies facilitate communication between vendors and researchers.   What should the researcher do? What should the vendor do? Should practices differ for small vendors, ISPs or website owners? (BLOGGED)

• David Dill, Professor of Computer Science, Stanford University, Moderator
• Steve Lipner, Microsoft
• Matt Blaze, AT&T
  

How do you motivate the vendor to release more secure software without crippling innovation? (BLOGGED)

• Scott Blake, Bindview, Moderator
• Mary Ann Davidson, Oracle
• Bruce Schneier, Counterpane
  

What policies or practices encourage the installation of patches? (BLOGGED)

• Lauren Gelman, Stanford CIS,   Moderator
• Stephanie Fohn, Consultant
• Vincent Weafer, Symantec
  

What are the practical considerations in formulating, implementing and enforcing vulnerability disclosure policies or best practices? (BLOGGED)

• Jennifer Granick, Esq., Stanford CIS
• Jim Duncan, Cisco
• Hal Varian, Professor, University of California, Berkeley
  

What role should legal rules play and how can the law help or hurt security in the area of vulnerability disclosure?  (BLOGGED)

• Gregory P. Schaffer, PricewaterhouseCoopers, Moderator
• Peter Swire, Professor of Law at Ohio State University
• Stephen Wu, Esq., InfoSec Law Group
  

Concluding Remarks: Moderators (BLOGGED)