The slides from our Networkshop session on Learning from Software Vulnerabilities are now available. All three talks showed how managing the process of finding, reporting and fixing vulnerabilities can improve the quality of software and the security of our systems.
Vulnerability handling – how organisations deal with reports of security weaknesses in their software and systems – is a field that has developed a lot in my time working for Janet. When I started most organisations received reports and fixed vulnerabilities on an ad hoc basis, if at all.
Thanks to recent work, particularly by the Dutch National Cyber Security Centre, the processes that result in successful discovery and reporting of software vulnerabilities are reasonably well understood.
From personal experience many years ago I know the frustration of discovering a security vulnerability in a website, wanting to warn the site owners, but being unable to find a responsive contact to accept the information. However I also know, from even longer ago, what it's like to be a sysadmin told by a stranger that my precious computer has a bug in it that I urgently need to fix. They no doubt thought they were helping me, but it was awfully tempting to shoot the messenger!
Bug bounty schemes have always been controversial. In the early days of the Internet someone who found a bug in software was expected to inform the author and help fix it, as a matter of social responsibility. Suggesting that those researching vulnerabilities be paid for their time and effort seemed rather grubby. Unfortunately not everyone shared those scruples.
