Allen Householder is a Senior Vulnerability & Incident Researcher at the CERT Coordination Center (CERT/CC). He has been involved in internet security since his first professional job in 1995, where a few weeks after starting at a Fortune 500 company he was told “You’re the IP & DNS guy” and shortly thereafter was given responsibility for the corporate firewall. His recent work includes being the technical lead developer for the CERT Basic Fuzzing Framework (BFF) and Failure Observation Engine (FOE), and research into the (in)security of the Internet of Things. His research interests include applications of machine learning to software and system security, fuzzing, and modeling of information sharing and trust among Computer Security Incident Response Teams (CSIRTs).
Coordinated Vulnerability Disclosure is a concurrent process
Media reports about Zero Days, bug bounties, and branded vulnerabilities usually focus on the publication of a vulnerability report. Vulnerability disclosure policies recently hit the mainstream with public kerfuffles between Google and Microsoft over the timing a few vulnerability announcements. However, public reports largely ignore the process of coordination and disclosure that precedes a publication event. For the past 26 years at the CERT Coordination Center, we have been helping connect security researchers and vendors in the interest of improving the security of the Internet and providing users and administrators with the information they need to secure their systems. In this talk I’ll describe the process of coordinating vulnerability disclosures, why it’s hard, and some of the pitfalls and hidden complexities we have encountered. This will be a behind-the-scenes look at a process that doesn’t receive much attention yet is of critical importance to internet security.