Episode 20 of the podcast covers a discussion on business and legal implications around vulnerability disclosure with Aaron Charfoos, Partner at Paul Hastings.
Outline:
- (01:23) Question 1: How would you advise clients/companies to react to security researchers with knowledge of a vulnerability when they contact the organization? Should companies treat this as incident response?
- (03:39) Question 2: What kind of business and legal issues do those disclosures pose? How should companies weigh out the risks?
- (06:17) Question 3: How should security researchers think about approaching companies with vulnerability disclosures?
- (10:40) Question 4: With regard to disclosure, what should organizations say and not say and to whom? Can those disclosures be coordinated with the white hats who bring the CVEs over to them? What’s the best way to get ahead of the media’s desire to shine light on these issues as news items?
- (14:09) Question 5: Are there any helpful case studies to delve into for our listeners – ie – where in your practice have you seen this work out well for clients and not so well?