The Year of the Vulnerability Disclosure Policy by Jack Cable

The Year of the Vulnerability Disclosure Policy
Speaker: Jack Cable

It’s an exciting time for vulnerability disclosure. Thousands of companies now offer vulnerability disclosure policies (VDPs), and that number is increasing every day. With such policies, not only are hackers better protected in disclosing vulnerabilities, but the public can stay better informed about security practices across organizations. 2020 proved to be a breakout year for vulnerability disclosure policies, with vulnerabilities launched across every U.S. federal civilian agency, the elections industry, and more. Yet with these advances comes an increased need to ensure such policies are effective and protect both organizations and hackers. As evidenced by past legal disputes, the process of building and abiding to a VDP is nontrivial. In this talk, learn about the history of the VDP, ongoing legal troubles, and best practices moving forward to ensure the efficacy of VDPs. Case studies of action by the United States and Netherlands governments demonstrate that VDPs can be implemented as a standard in order to increase public security. By structuring VDPs in the right way, such policies can be implemented to offer transparency critical to increasing public trust around security.

Jack Cable is a security researcher and student at Stanford University. Jack formerly worked for the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to help secure the 2020 election. Jack is a top ranked bug bounty hacker, having identified over 350 vulnerabilities in companies including Google, Facebook, Uber, Yahoo, and the U.S. Department of Defense. After placing first in the Hack the Air Force challenge, Jack began working at the Pentagon’s Defense Digital Service. Jack was named one of Time Magazine’s 25 most influential teens for 2018. At Stanford, Jack studies computer science and launched Stanford’s bug bounty program, one of the first in higher education.