[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20031008010057.GA63902@lightship.internal.homeport.org>
From: adam at homeport.org (Adam Shostack)
Subject: Workshop on Cybersecurity, Research & Disclosure
This should be a fascinating get-together.
----- Forwarded message from Lauren Gelman <gelman@...nford.edu> -----
Cybersecurity, Research & Disclosure
November 22, 2003
Stanford Law School
http://cyberlaw.stanford.edu/security/
Stanford Law School's Center for Internet and Society will host a day-long
exploration of the relationship between computer security, privacy, and
disclosure of information about security vulnerabilities. This is the
must-attend conference for researchers, academics, practitioners, government
officials and CTO and CIOS interested in formulating disclosure practices or
policies that would promote security research, constructive information
sharing, remediation and commercial interests, and determining how such
policies could be put into effect?
Questions to be addressed include:
* Does public disclosure of vulnerabilities motivate the vendor to release
more secure software, and if so, does this benefit sufficiently outweigh
potential risks that the information will be misused?
* How can independent researchers be adequately compensated for the valuable
service they provide to vendors and customers while encouraging responsible
reporting?
* Does the commercialization of security information promote security, or
should reporting be an academic or governmental function?
* What practices or policies facilitate communication between vendors and
researchers. What should the researcher do? What should the vendor do? Should
practices differ for small vendors, ISPs or website owners?
* When does disclosure best promote security and minimize exploitations, and
how much information should be disclosed at a given point in time, and to whom?
* What policies or practices encourage the installation of patches?
* How can disclosure policies promote computer security? How can we work
towards consensus on such a policy? Encourage compliance with the policy? What
would the policy include, and what are the security tradeoffs? Is there a role
for regulation or government intervention in this area, or are market
incentives sufficient?
Register now at: http://cyberlaw.stanford.edu/security/
Powered by blists - more mailing lists