What Every Developer Needs to Know About Coordinated Vulnerability Disclosure

Title: Don’t Let the Bad Bugs Bite: What Every Developer Needs to Know About Coordinated Vulnerability Disclosure

Abstract: Every software project has bugs; today’s software systems, many of whom rely on extensive lists of free and open source software dependencies, are incredibly complicated. With so many interacting parts, bugs will slip in despite good software design and automated testing. In this environment, the number of bugs a given piece of software contains is not as important as how prepared and responsive the developer is to handling those bugs, especially when security and privacy are on the line. This talk is about what happens when code reviews and automated testing fail to find a security bug, but the Internet discovers it in production environments. Using examples from real stories, I will discuss why all software projects – free and open source, as well as proprietary – should prepare for security vulnerability disclosure, the consequences of ignoring such bug reports, and how to establish and maintain relationships with the security researcher community. I will also talk about the challenges of notifying users and downstream projects through coordinated vulnerability disclosure, and provide recommendations and best practices for software development teams and vendors to handle reports of security bugs.

Presented at Abstractions, August 18-20, 2016, Pittsburgh, PA