When Security Experts Gather to Talk Consensus, Chaos Ensues

[InfoSec News <alerts () infosecnews org>]

http://www.wired.com/2015/10/security-experts-gather-talk-consensus-chaos-ensues/

By Kim Zetter
Security
Wired.com
10.01.15

SECURITY RESEARCHERS AND vendors have long been locked in a debate over 
how to disclose security vulnerabilities, and there’s little on which the 
two sides agree. Apparently this extends even to the question of whether 
they should meet to hash out their disagreements.

That’s the conclusion after a coalition of security vendors, academics, 
lawyers, and researchers gathered at UC Berkeley on Tuesday to discuss how 
to improve the sometimes-hostile system for reporting software 
vulnerabilities.

But the diverse group of participants had a hard time even agreeing on the 
purpose of the meeting: Was it to draft a charter for best practices in 
reporting software vulnerabilities? Was it to reform parts of the Digital 
Millennium Copyright Act and Computer Fraud and Abuse Act to make them 
less hostile to researchers? Or was it to develop guidelines for companies 
interested in launching bug bounty programs?

The participants hit another sticking point when they tried to determine 
if they should hold a second meeting. “I spent $2,000 [to come to this 
meeting],” Dave Aitel, CEO and founder of the Florida-based security firm 
Immunity, told attendees. Whether or not there’s a second meeting, “should 
at least be an option” for discussion.

[...]

--
Evident.io - Continuous Cloud Security for AWS.
Identify and mitigate risks in 5 minutes or less.
Sign up for a free trial @ https://evident.io/