lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
From: adam at homeport.org (Adam Shostack)
Subject: Workshop on Cybersecurity, Research & Disclosure

This should be a fascinating get-together.

----- Forwarded message from Lauren Gelman <gelman@...nford.edu> -----

Cybersecurity, Research & Disclosure
November 22, 2003
Stanford Law School
http://cyberlaw.stanford.edu/security/

Stanford Law School's Center for Internet and Society will host a day-long
exploration of the relationship between computer security, privacy, and
disclosure of information about security vulnerabilities.  This is the
must-attend conference for researchers, academics, practitioners, government
officials and CTO and CIOS interested in formulating disclosure practices or
policies that would promote security research, constructive information
sharing, remediation and commercial interests, and determining how such
policies could be put into effect?

Questions to be addressed include:

*   Does public disclosure of vulnerabilities motivate the vendor to release
more secure software, and if so, does this benefit sufficiently outweigh
potential risks that the information will be misused?
*   How can independent researchers be adequately compensated for the valuable
service they provide to vendors and customers while encouraging responsible
reporting?
*   Does the commercialization of security information promote security, or
should reporting be an academic or governmental function?
*   What practices or policies facilitate communication between vendors and
researchers. What should the researcher do? What should the vendor do? Should
practices differ for small vendors, ISPs or website owners?
*   When does disclosure best promote security and minimize exploitations, and
how much information should be disclosed at a given point in time, and to whom?
*   What policies or practices encourage the installation of patches?
*   How can disclosure policies promote computer security? How can we work
towards consensus on such a policy? Encourage compliance with the policy? What
would the policy include, and what are the security tradeoffs? Is there a role
for regulation or government intervention in this area, or are market
incentives sufficient?

Register now at: http://cyberlaw.stanford.edu/security/


Powered by blists - more mailing lists