Forwarded from: Adam Shostack <adam@private> This should be a fascinating get-together. ----- Forwarded message from Lauren Gelman <gelman@private> ----- Cybersecurity, Research & Disclosure November 22, 2003 Stanford Law School http://cyberlaw.stanford.edu/security/ Stanford Law School's Center for Internet and Society will host a day-long exploration of the relationship between computer security, privacy, and disclosure of information about security vulnerabilities. This is the must-attend conference for researchers, academics, practitioners, government officials and CTO and CIOS interested in formulating disclosure practices or policies that would promote security research, constructive information sharing, remediation and commercial interests, and determining how such policies could be put into effect? Questions to be addressed include: * Does public disclosure of vulnerabilities motivate the vendor to release more secure software, and if so, does this benefit sufficiently outweigh potential risks that the information will be misused? * How can independent researchers be adequately compensated for the valuable service they provide to vendors and customers while encouraging responsible reporting? * Does the commercialization of security information promote security, or should reporting be an academic or governmental function? * What practices or policies facilitate communication between vendors and researchers. What should the researcher do? What should the vendor do? Should practices differ for small vendors, ISPs or website owners? * When does disclosure best promote security and minimize exploitations, and how much information should be disclosed at a given point in time, and to whom? * What policies or practices encourage the installation of patches? * How can disclosure policies promote computer security? How can we work towards consensus on such a policy? Encourage compliance with the policy? What would the policy include, and what are the security tradeoffs? Is there a role for regulation or government intervention in this area, or are market incentives sufficient? Register now at: http://cyberlaw.stanford.edu/security/ - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Wed Oct 15 2003 - 03:59:56 PDT