[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" International Panel Discussion (1) by Ikuo Takahashi
While hackers have known the importance of sharing research to improve security for years, the importance of coordinated vulnerability disclosure is increasingly recognized by governments around the world. The principals of disclosure an protecting security researchers are common across borders, but different countries have some key differences. This panel will present a global perspective that may in turn inform key public policy and company behavior. ENISA has published 'Coordinated Vulnerability Disclosure policies in the EU' in April 2022 . This report not only provides an objective introduction to the current state of coordinated vulnerability disclosure policies in the Member States of the European Union, but also introduces the operation of vulnerability disclosure in China, Japan and the USA. Based on these findings, the desirable and good practice elements of a coordinated vulnerability disclosure process are examined, followed by a discussion of the challenges and issues. This session aims to share the contents of this report and clarify the challenges and future direction of operations in Japan, as well as national security and vulnerability handling issues in the US, in a panel discussion with representatives from various jurisdictions. The panelists are involved in the practice of early warning partnership notified bodies in Japan, the authors of the above report in Europe and the contributors to the above report in the US. In Japan, the issues of system awareness, incentives, increase in the number of outstanding cases in handling and so-called triage in handling vulnerabilities will be introduced. From the United States, the Vulnerabilities Equities Process for National Security and the publication of a non-prosecution policy for vulnerability research will be introduced, as well as a historical background on the issue. The aim is that the panel discussion will enable the audience to understand the international situation surrounding CVD, as well as future trends, in particular the important role of vulnerability in cybersecurity and the challenges faced by society around it.
More Related Content
Similar to [cb22] "The Present and Future of Coordinated Vulnerability Disclosure" International Panel Discussion (1) by Ikuo Takahashi
Similar to [cb22] "The Present and Future of Coordinated Vulnerability Disclosure" International Panel Discussion (1) by Ikuo Takahashi (20)
More from CODE BLUE
More from CODE BLUE (20)
Recently uploaded
Recently uploaded (20)
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" International Panel Discussion (1) by Ikuo Takahashi
- 1. “The Current and Future of Coordinated Vulnerability Disclosure” International Panel Discussion (JPN) Hiroyuki Itabashi (Information Promotion Agency) (EU) Lorenzo Pupillo, PhD (Associate Senior Research Fellow - GRID Unit, Head of the Cybersecurity@CEPS Initiative) (US) Allan Friedman, PhD (Senior Advisor and Strategist, Cybersecurity & Infrastructure Security Agency) Moderator, Ikuo Takahashi (Komazawa Legal Chambers)
- 2. Vulnerabilities • By Definition • Per Japan Early Warning Partnership • “A security weakness where the functionality or performance can be impacted by an attack such as computer viruses or unauthorized computer access” • Per ISO/IEC 27000:2009, 2.46, modified • “weakness of software, hardware, or online service that can be exploited” • Importance at present • Opportunity for Cyber Threats, e.g. ”Fuel for attacks” • Opportunity for whom • Cyber criminals/State-sponsored attack • Governments, Attacker/Defender
- 3. Coordinated Vulnerability Disclosure Full disclosure • Malicious attackers already know about a vulnerability, so it is best if everyone knows their techniques. • Vendors cannot hide bugs about vulnerabilities once they are publicly disclosed. • Disclosure of vulnerability information is necessary to create a better system in the future. • We should regard the concept that the vulnerability information is the property of the discoverer as positive one. Responsible disclosure • Most vulnerabilities are investigated with the motivation of the disclosure itself. • E.g. as a demonstration of one's competence instead of for the purpose of eliminating the vulnerability • There can be other ways to effectively disclose vulnerabilities. • Creating an improved system does not require providing detailed vulnerability information or testing.
- 4. Coordinated Vulnerability Disclosure Per Region JAPAN EU US Present • Early Warning Partnership (2004~) • PSIRT awareness-raising activities • Active mediation function of state agencies • Coordinated Vulnerability Disclosure Policies. • Mixed responses from country to country • Examples: advanced Belgium, Netherlands, France • Legal cases (~2010) toward protection of researchers • Government activities • FTC (Federal Trade Commission) and regulators in IoT • Cooperation between researchers and vendors • Leverage by law enforcement agencies International trends • Closer relationships between National Security and Cybersecurity • Bug bounty programs • Formalized Standards • ISO/IEC 29147:2018120 Information technology -- Security techniques -- Vulnerability disclosure • ISO/IEC 30111:2013 Information technology -- Security techniques -- Vulnerability handling processes • RFC9116 File Format for Security Vulnerability Disclosure Support