http://www.wired.com/2015/10/security-experts-gather-talk-consensus-chaos-ensues/
By Kim Zetter
Security
Wired.com
10.01.15
SECURITY RESEARCHERS AND vendors have long been locked in a debate over
how to disclose security vulnerabilities, and there’s little on which the
two sides agree. Apparently this extends even to the question of whether
they should meet to hash out their disagreements.
That’s the conclusion after a coalition of security vendors, academics,
lawyers, and researchers gathered at UC Berkeley on Tuesday to discuss how
to improve the sometimes-hostile system for reporting software
vulnerabilities.
But the diverse group of participants had a hard time even agreeing on the
purpose of the meeting: Was it to draft a charter for best practices in
reporting software vulnerabilities? Was it to reform parts of the Digital
Millennium Copyright Act and Computer Fraud and Abuse Act to make them
less hostile to researchers? Or was it to develop guidelines for companies
interested in launching bug bounty programs?
The participants hit another sticking point when they tried to determine
if they should hold a second meeting. “I spent $2,000 [to come to this
meeting],” Dave Aitel, CEO and founder of the Florida-based security firm
Immunity, told attendees. Whether or not there’s a second meeting, “should
at least be an option” for discussion.
[...]
--
Evident.io - Continuous Cloud Security for AWS.
Identify and mitigate risks in 5 minutes or less.
Sign up for a free trial @ https://evident.io/
