Disclosure DOs, Disclosure DON'Ts

Pragmatic Advice for Security Researchers

If you suspend your transcription on, please add a timestamp below to indicate how far you progressed! This will help others to resume your work!

Please do not press “publish” on to save your progress, use “save draft” instead. Only press “publish” when you're done with quality control.

Video duration
This talk will focus on responsible disclosure best and worst practices from both legal and practical perspectives. I'll also focus on usable advice, both positive and negative, and answer any questions the audience has on best practices.

You've found a security vulnerability in someone else's product. What now? You want to report your finding so users can protect themselves, or so the vendor can repair their product, or so you as a researcher can give your talk or publish your paper. But how? You don't want to get sued! You don't want to go to jail! You don't want your talk cancelled! You don't want to lose your job!

In my role as a lawyer at the EFF on the Coders' Rights Project, I advise security researchers, students, developers, and hackers of all varieties on how to report vulnerabilities. In this talk, I'll share some practical advice that will help the audience navigate the legal, ethical, and practical waters that surround the disclosure of security vulnerabilities.

There is no one-size-fits-all approach responsible disclosure; every situation is different. I'll discuss how to make an offer of delayed publication not sound like a blackmail threat, and how to draw the right kind of attention to your talk without bringing too much of the wrong kind of attention with it. Finally, I'll talk about the different kinds of risk that disclosure entails, including the types of legal issues often faced by researchers.

Instead of announcing rules that you must follow, I'll focus on a number of practical DOs and DON'Ts to help you minimize the risks involved.

Talk ID
Saal 6
11 p.m.
Ethics, Society & Politics
Type of
Nate Cardozo
Talk Slug & media link
0.0% Checking done0.0%
0.0% Syncing done0.0%
0.0% Transcribing done0.0%
100.0% Nothing done yet100.0%

Work on this video on Amara!

English: Transcribed until

Last revision: 2 years, 1 month ago