Do you think vulnerability disclosures with a clear marketing campaign and PR process, such as Heartbleed, POODLE, or Shellshock, have value?
AA: This leads back to the point about granting reward and recognition to Bug Bounty programs. Many feel that the best way to gain recognition and coverage is to launch a PR campaign.
The problem with these campaigns is that some of them become overhyped and just serve to grab a few more headlines without actually dealing with the issue. If vendors are willing to work with and publically acknowledge researchers' efforts, this will add far more value for both parties.
If the proposed changes pass, how do you think Wassenaar will impact the disclosure process? Will it kill full disclosure with proof-of-concept code, or move researchers away from the public entirely preventing serious issues from seeing the light of day? Or, perhaps, could it see a boom in responsible disclosure out of fear of being on the wrong side of the law?
AA: The addition of cyberweapons to the Wassenaar Arrangement has caused a great deal of concern among researchers who fear the legal repercussions of disclosing vulnerabilities. In the short term, I can see many will be sitting on zero-days and POC code which is not good for the industry as a whole.
Even with explicit exemptions for open source software, researchers could technically be in breach of export restrictions if they travel with unpublished POC code on a device. If the proposed changes pass, there needs to be clear and explicit guidance for researchers, Bug Bounty programs and security conferences. Without these, we are in danger of slowing the advance of security and driving more exploits to the black market.
Sign up for CIO Asia eNewsletters.