[ISN] Workshop on Cybersecurity, Research & Disclosure

From: InfoSec News (isn@private)
Date: Wed Oct 15 2003 - 01:20:38 PDT

  • Next message: InfoSec News: "Re: [ISN] Nmap Version Detection Rocks"

    Forwarded from: Adam Shostack <adam@private>
    
    This should be a fascinating get-together.
    
    ----- Forwarded message from Lauren Gelman <gelman@private> -----
    
    Cybersecurity, Research & Disclosure
    November 22, 2003
    Stanford Law School
    http://cyberlaw.stanford.edu/security/
    
    Stanford Law School's Center for Internet and Society will host a day-long
    exploration of the relationship between computer security, privacy, and
    disclosure of information about security vulnerabilities.  This is the
    must-attend conference for researchers, academics, practitioners, government
    officials and CTO and CIOS interested in formulating disclosure practices or
    policies that would promote security research, constructive information
    sharing, remediation and commercial interests, and determining how such
    policies could be put into effect?
    
    Questions to be addressed include:
    
    *   Does public disclosure of vulnerabilities motivate the vendor to release
    more secure software, and if so, does this benefit sufficiently outweigh
    potential risks that the information will be misused?
    *   How can independent researchers be adequately compensated for the valuable
    service they provide to vendors and customers while encouraging responsible
    reporting?
    *   Does the commercialization of security information promote security, or
    should reporting be an academic or governmental function?
    *   What practices or policies facilitate communication between vendors and
    researchers. What should the researcher do? What should the vendor do? Should
    practices differ for small vendors, ISPs or website owners?
    *   When does disclosure best promote security and minimize exploitations, and
    how much information should be disclosed at a given point in time, and to whom?
    *   What policies or practices encourage the installation of patches?
    *   How can disclosure policies promote computer security? How can we work
    towards consensus on such a policy? Encourage compliance with the policy? What
    would the policy include, and what are the security tradeoffs? Is there a role
    for regulation or government intervention in this area, or are market
    incentives sufficient?
    
    Register now at: http://cyberlaw.stanford.edu/security/
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Wed Oct 15 2003 - 03:59:56 PDT