This event has ended. Visit the official site or create your own event on Sched.
Please note though that you must register through Eventbrite in order to attend RightsCon Silicon Valley 2016! 

Find below the Official Schedule v1.0 (as of March 24, 2016). Slight changes may be made over the coming week — including session descriptions, panelist bios and room locations. Be sure to click on "Attendees" to see who’s coming and set up a personal profile. You can then select the sessions you wish to attend and create your own customized RightsCon schedule. Visit our RightsCon site for more details.
View analytic
Friday, April 1 • 10:30am - 11:45am
Criminal (in)justice of vulnerability disclosure

Sign up or log in to save this to your schedule and see who's attending!

Society is becoming more and more dependent on IT and the availability, integrity and confidentiality of (personal) data. The security of all users of IT, be it businesses, governments, NGO’s, human rights activists and consumers, heavily depends on the underlying security of the hard- and software that is being used.

Unfortunately, software is not perfect, and it probably never will be. Many software products and services these days have security vulnerabilities. Ethical or white hat hackers and security researchers play an important role in discovering and reporting these vulnerabilities as a first step to remedy them. Although reporting vulnerabilities seems straightforward, there are many different and sometimes conflicting interests at stake. For example, there is a tension between the need of the public to know about a vulnerability and the time needed for a vendor or system owner to respond effectively. There is also a tension between helping the system owner and end-users by discovering and demonstrating vulnerabilities with good intentions and crossing the line, resulting in criminal prosecution. Countries all over the world are grappling with these dilemmas, each from the perspective of their own unique cultural background and legal system. To make things more complicated, vulnerability disclosures often affect multiple stakeholders across borders.

In this workshop we would like to interactively explore the different points of view on vulnerability disclosure and cooperation between the hacker community, vendors, system owners, journalists and the national authorities, drawing from our experiences in the Netherlands and abroad. In The Netherlands this has resulted in a Responsible Disclosure policy, supported by the companies, researchers, government and the public prosecutor. By discussing real world examples, including legal verdicts and cases we came across as the national CERT, we hope to further international discussion and mutual understanding for each other’s positions on the subject. Furthermore, we hope to provide attendants of the workshop with ideas and instruments to further the discussion on the subject back at home. Ideally, in the end this could be a first step towards worldwide acknowledged good practices for vulnerability disclosure.


Nate Cardozo

Senior Staff Attorney, Electronic Frontier Foundation
Nate Cardozo is a Senior Staff Attorney on the Electronic Frontier Foundation’s digital civil liberties team. In addition to his focus on free speech and privacy litigation, Nate works on EFF's cryptography policy and the Coders' Rights Project. Nate has projects involving export controls on software, state-sponsored malware, automotive privacy, government transparency, hardware hacking rights, anonymous speech, electronic privacy law... Read More →

Arjan de Jong

Advisor on Cyber Security - National Cyber Security Centre, Ministry of Security and Justice of the Netherlands

Ross Schulman

Cybersecurity Initiative (New America)

Friday April 1, 2016 10:30am - 11:45am
The Nest

Attendees (14)