Put that Cease and Desist Down: How to Train Your Org to Work with Hackers presented at OWASPBASC 2019

by Luke Tucker,

Summary : Before that hacker slides into your brand’s DMs, how do you prepare your organization to talk to researchers and spot vulnerability disclosure? Today, poorly handled disclosures can cause the same reputational damage as a public security incident. As security continues to climb the ranks of importance, more decision makers and stakeholders are involved in interactions that were once solely owned by security teams. The vulnerability reports are coming. Ready or not. Everyone is on the front lines of security and this includes researcher interactions. Are your executives, legal, PR, and social media teams prepared?Based on hundreds of hacker and company mediation request, this talk will look at common and extreme scenarios many are seeing for the first time. We will cover real-world communication failures, as well as the success stories you will never read about. Attendees will walk away with armed with practical tips to prepare their colleagues for the inevitable vulnerability report, starting with hacker motivations, what disclosure success looks like, and de-escalation tips. This talk will cover: Responding to vulnerabilities reported via social media; How to minimize the chances of your vulnerabilities ending up on Twitter; Tips for keeping the press out of your bug reporting workflow; Prepare your company to talk to a hacker who is requesting cash; De-escalation tips to find a happy f@%#&$* ending when tempers flare and you are caught in the middle; and How to advocate for security researchers without losing friends or your job.