This talk will focus on responsible disclosure best and worst practices from both legal and practical perspectives. I'll also focus on usable advice, both positive and negative, and answer any questions the audience has on best practices.
You've found a security vulnerability in someone else's product. What now? You want to report your finding so users can protect themselves, or so the vendor can repair their product, or so you as a researcher can give your talk or publish your paper. But how? You don't want to get sued! You don't want to go to jail! You don't want your talk cancelled! You don't want to lose your job!
In my role as a lawyer at the EFF on the Coders' Rights Project, I advise security researchers, students, developers, and hackers of all varieties on how to report vulnerabilities. In this talk, I'll share some practical advice that will help the audience navigate the legal, ethical, and practical waters that surround the disclosure of security vulnerabilities.
There is no one-size-fits-all approach responsible disclosure; every situation is different. I'll discuss how to make an offer of delayed publication not sound like a blackmail threat, and how to draw the right kind of attention to your talk without bringing too much of the wrong kind of attention with it. Finally, I'll talk about the different kinds of risk that disclosure entails, including the types of legal issues often faced by researchers.
Instead of announcing rules that you must follow, I'll focus on a number of practical DOs and DON'Ts to help you minimize the risks involved.