Scanning and reporting vulnerabilities for the whole IPv4 space.

How the Dutch Institute for Vulnerability Disclosure scales up Coordinated Vulnerability Disclosure

Chris van 't Hof, Astrid Oosenbrug, Frank Breedijk and Lennaert Oudshoorn

Playlists: 'MCH2022' videos starting here / audio

The Dutch Institute for Vulnerability Disclosure scans the internet for vulnerabilities and reports these to the people who can fix them. Our researchers will go into some of our recent cases, our board members will describe how we professionalise vulnerability disclosure and why we are allowed to somewhat break laws on computer crime and privacy.

The Dutch Institute for Vulnerability Disclosure scans the internet from our own AS (50.559) for vulnerabilities and reports these to the people who can fix them. In this session our board members will describe how we professionalise vulnerability disclosure with an independent foundation, a Code of Conduct, a common identity, a collaboration platform for independent researchers and a CSIRT to report vulnerabilities to owners of vulnerable systems.
Our researchers will go into some of our more known cases, ranging from Citrix 2020, to KaseyaVSA and Log4j in 2021 and others which commenced between filing this proposal and the conference. They will demonstrate how to scan, validate data, report to users and how they responded.
By doing this, we kind of break several laws on computer crime and privacy protection. Still, we are allowed to as we serve to make the internet more secure. Moreover, we also guide young security researchers to the responsible path of vulnerability disclosure. And we do it Dutch style: open, direct and for free.
Chris and Astrid will go into the way we work, Frank and Lennaert will do the cases.

Download

Embed

Share:

Tags