ringzerø
★ TALK ★
Brian Gorenc
Dustin Childs
Best of the Worst: Misadventures in Bug Disclosure
Friday, 23 February
45 mins
ABSTRACT
Founded by TippingPoint in 2005, the Zero Day Initiative (ZDI) program rewards security researchers for responsibly disclosing vulnerabilities. Since that time, the ZDI has grown to be the world's largest vendor-agnostic bug bounty program. Being vendor agnostic means we purchase bug reports from independent security researchers around the world in Microsoft applications, Adobe, Cisco, Apple, IBM, Dell, Trend Micro, SCADA systems, etc... We don't buy every bug report submitted, but we buy a lot of bugs. Of course, this means we disclose a lot of bugs. And not every disclosure goes according to plan.
This talk looks at some of the best of the worst examples of disclosing bugs to vendors. Disclosing bugs can get contentious. It can also be confusing when a vendor doesn't have a mature response process. Some reports are frustrating. Some reports are comical. And some are absolutely wild. All of them resulted in face palms at multiple levels. We'll go behind the scenes to show the sometimes gory details and laughable farces of bug disclosure. Finally, we'll offer some advice to those who may be on the receiving end of disclosure to help them ensure they don't end up in version 2.0 of this talk. Finding, disclosing, and fixing bugs are three different processes, and none of those processes are inconsequential. Here at the ZDI, we try to improve all three areas wherever we can.
Brian Gorenc VP of Threat Intelligence, Trend Micro Zero Day Initiative
Brian Gorenc is the Vice President of Threat Research at Trend Micro. In this role, he leads a globally dispersed research organization responsible for the delivery of comprehensive protection technology and threat intelligence to defend against sophisticated attacks. Gorenc is also responsible for the Zero Day Initiative (ZDI) program, which represents the world's largest vendor-agnostic bug bounty program. The ZDI works to expose and remediate weaknesses in the world's most popular software. Brian is also responsible for organizing and adjudicating the ever-popular Pwn2Own hacking competitions.
Before joining Trend Micro, Gorenc worked for Lockheed Martin on the F-35 Joint Strike Fighter (JSF) program. In this role, he led the development effort on the Information Assurance (IA) products in the JSF’s mission planning environment. In addition to degrees from Southern Methodist University and Texas A&M, Brian holds multiple certifications including (ISC)2's CISSP and CSSLP.
Dustin C. Childs Head of Threat Awareness, Trend Micro Zero Day Initiative
Dustin C. Childs serves as the Head of Threat Awareness for Trend Micro's Zero Day Initiative (ZDI), which is the world's largest vendor-agnostic bug bounty program. Dustin began his infosec journey in the late 1990s at the Air Force Information Warfare Center. Following his time working for the government, Mr. Childs worked in the Microsoft Trustworthy Computing group, where he served as a case manager in the Microsoft Security Response Center (MSRC) with a focus on addressing vulnerabilities in the Windows operating system and Microsoft's developer tools. In his current role, Mr. Childs gathers and analyzes threat intelligence from various Trend Micro and open-source resources to understand and communicate risk to enterprises. He also creates, implements, and oversees internal and external communications programs that promote the work of ZDI and its researchers.