Help us help you be taken more seriously
when: Sat, 13 Nov 2021 14:15:00 +1300
where: The Michael Fowler Centre
Security researchers contact organisations letting them know of potential vulnerabilities. Have you ever wondered why you may not be getting a response? Could it be that you were not reporting an actual vulnerability? Did you have a proof of concept? Did you use an email address that you didn’t monitor? Before damming the organisation, remember that there are always two sides to every coin.
In this presentation, we want to share the organisational viewpoint. Of course, we value the input of info sec researchers, pointing out vulnerabilities to us, and of course we want to do the right thing. However, this doesn’t always go well when the researcher doesn’t follow some basic guidelines when submitting a report. Receiving an unsolicited vulnerability disclosure for another organisation is just one of those things that should be avoided.
We will highlight things to avoid when you contact an organisation and provide a cheat sheet of helpful things to include in your vulnerability disclosure.
anitsirk and Faily Monster
anitsirk: Typically, anitsirk is behind the camera at Kawaiicon (and prior to that Kiwicon). When there is no con, she leads an open source project at Catalyst. Faily Monster: He’s here and he’s always keen to help!