“Responsible Disclosure”

What is IT? Where is IT?

“Responsible Disclosure”

“Can you size it?”

Data breaches: Known vs “Prevented”

2014

67,924,685 records

297 breaches made public

2015

153,350,507 records

142 breaches made public

2014

47,229,787 records

18 breaches prevented

2015

225,303,293 records

9 breaches prevented

“Responsible Disclosure” succes rate

Data breaches: Known vs “Prevented”

2014

36,637,117 records

13 breaches prevented

2015

115,100 records

12 breaches prevented

Cost of Data Breaches

What says the “Law”

Responsible Disclosure Guidelines are not above the law..

Dutch Law

German Law

European Law.. with or without kourambiedes

American Law

Dictator’s Law

Mother in Law

Mother Russia

Mother of all messes…? tl;dr

“Thou shall not use Social Media for Responsible Disclosure”

Unless..

Recently, I have seen a large-ish uptick in customers reverse

engineering our code to attempt to find security vulnerabilities in it.

This is why I’ve been writing a lot of letters to customers that start with

“hi, howzit, aloha” but end with “please comply with your license

agreement and stop reverse engineering our code, already.”

Bug bounties

Disclosure programs

“Coordinated vulnerability disclosure”

“Responsible Disclosure”

Best practise for security researchers

“One size does not fit all” - Cultural and local laws

Do your homework

Find the right person to disclose to

Be clear about your goal

Make a good impression (leave your ego at the door)

Qualifying the issue right (carefully choose your words) - using “maybe” and “might” helps

Don’t demand / don’t make threats

Don’t use idioms, write clean and short sentences (that make sence if a translator is used)

“Responsible Disclosure”

Wrap up

Final thoughts...

Questions?

Time to Punch out