The disclosure of information related to software vulnerabilities is becoming a multifaceted process characterized by: inconsistent vulnerability release practices, unbalanced incentives for software companies captured between improving security of their products and the needs to support national security, great legal uncertainty about the lawfulness of security research for vulnerabilities, lack of vendor maturity for vulnerability reporting and the dilemma for government agencies between disclose zero-days vulnerabilities or retain them for intelligence purposes.
The lack of codes of conduct for vulnerability research and disclosure is hampering the process of finding and fixing critical vulnerabilities. In Europe the debate on these issues is at the beginning and there is the need to bring together different stakeholders to assess and manage the challenges associated with the vulnerability disclosure process.
The purpose of this workshop at CEPS was to promote this process through a discussion and the definition of proposals to improve the vulnerability disclosure landscape in Europe. Please click here for full agenda and click here for speakers' short biographies