Profile picture
halvarflake @halvarflake
, 15 tweets, 2 min read Read on Twitter
I will watch the Livecast about Software Vulnerability Disclosure, and I strongly suspect I will comment on it in this twitter stream.
Some recommendations will apparently be the output of today, but they seem to not be final yet(?)
First panel is interestingly composited - an Airbus CISO and a Microsoft Cybersecurity Policy person. The representative for civil society is missing - due to flue. A representative for security researchers is also missing, but wasn't on the agenda in the first place (?).
I am not sure if I would call the composition of the 2-person panel (dialogue?) balanced - but I will wait and see and give the benefit of the doubt.
Is there an easy way to figure out where which think tank gets it's funding from? It is hard to understand the battle lines / political influences for CEPS, stiftung-nv.de, and the other think tanks in the debate here.
Currently Lorenzo Pupillo surveys the various approaches to vulnerability disclosure. Somewhat focused on "on-paper processes", not necessarily on what happens in practice.
Pupillo calls for protection & incentives for security researchers, citing among other things the US hack the pentagon programme.
Unfortunately, the speaker's accent is so heavy that it is difficult to understand the actual recommendations :-/.
Are the actual recommendations available in writing for outsiders? I did not manage to understand them fully as they were presented.
The Microsoft guy argues that no vulnerability information should ever be made public without a patch being available.
Microsoft's lobbyist really hates disclosure.
I will self-censor somewhat now, but I don't think I could disagree more with the MSFT guy, and I do not see anybody on the panel that is capable to provide a counterpoint.
I am a big fan of @MarietjeSchaake 's question to the MSFT person, asking what the responsibilities of the software vendors are.
Good question by @blackswanburst on why disclosure dates are public, but not the dates of initial report to the vendor normally.
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to halvarflake
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($3.00/month or $30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!