Software today is everywhere: in our smartphones, in our cars, in our offices and at home.However, software is very complex and the risks for the critical infrastructures related to software vulnerabilities are increasing dramatically.
The disclosure of information related to software vulnerabilities is becoming a multifaceted process characterized by: inconsistent vulnerability release practices, unbalanced incentives for software companies captured between improving security of their products and the needs to support national security, great legal uncertainty about the lawfulness of security research for vulnerabilities, lack of vendor maturity for vulnerability reporting and the dilemma for government agencies between disclose zero-days vulnerabilities or retain them for intelligence purposes.
The lack of codes of conduct for vulnerability research and disclosure is hampering the process of finding and fixing critical vulnerabilities. In Europe the debate on these issues is at the beginning and there is the need to bring together different stakeholders to assess and manage the challenges associated with the vulnerability disclosure process.
The purpose of this workshop is to promote this process through a discussion and the definition of proposals to improve the vulnerability disclosure landscape in Europe.
Timing : 09:30 Registration + coffee. Workshop from 10:00 to 15:00?. Lunch will be served at 13:00.
Participation in this event is exceptionally free of charge.
Lorenzo Pupillo, CEPS: Origin of the Disclosure Controversy
Jan Neutze, Microsoft: Coordinated VulnerabilityDisclosure (CVD)
Ignacio Sanchez, European Commission (JRC): EU zero-day vulnerability management
Jeroen van der Ham, National Cyber Security Centre (NCSC) of the Netherlands: CVD building blocks
Gianluca Varisco, Italian Digital Transformation Team: A National Programme for Responsible DIsclosure
Philippe Cotelle, Airbus Defence and Space Insurance Risk Management: Software vulnerability Exposure a view from the industry
Allan Friedman, NTIA: US Government Promotion of Private Sector Vulnerability Disclosure
Marietje Schaake, Member of European Parlament (Video): A need for a joint EU reponse to mitigate cyber threats
Andriani Ferti: Legal challenges related to software vulnerability disclosure