The Cybersecurity Advisors Network (CyAN) renews its partnership with FIC – International Cybersecurity Forum in Lille, 7-9 June 2022 with a focus on the protection of bona fide cybersecurity researchers.

All members of our network attending FIC, and anyone interested are welcome to attend two sessions on 8 June 2022, moderated by Nick Kelly, member of the board:

1st session: Wednesday 8 June at 11 am

Description of the session :

“Many organisations advocate Coordinated Vulnerability Disclosure (CVD) policies. The aim is to provide a responsible and public framework for the search for vulnerabilities by “ethical hackers” for the benefit of an organisation that is responsible for the security of its systems, and to strengthen or create mutual trust between these actors. Beyond bug bounty platforms, CVD programmes are structured at the regulatory level by two ISO standards but are not yet generalised or harmonised. This is due to users’ lack of knowledge of the rules of engagement that govern these activities, to the fact that some companies are still insufficiently aware of the need to patch vulnerabilities detected in their software, and to the heterogeneity of the processes specific to each organisation. Faced with this, how can we build confidence in these new vulnerability disclosure policies? How can they be better harmonised? What are the means and best practices for generalising the implementation of these programmes? How can we ensure their level of reliability and evaluate their effectiveness? Should we move from CVD to multi-party coordinated vulnerability disclosure (MCVD)?”

2nd Session: on Wednesday 8 June at 3 pm

Description of the session :

“When it comes to disclosing vulnerabilities, the lack of protection and encouragement for the type of expertise bona fide cybersecurity researchers possess presents as the weakest link in vulnerability management. Despite the encouraging progress made by many organisations concerning the adoption of Coordinated Vulnerability Disclosure (CVD) policies, broad standardisation and adoption are far from realised. Many stakeholders, including bug bounty platforms, CERTs, software owners, international government institutions like the OECD, and a handful of governments – advocate for enhanced awareness and adoption of frameworks on the corporate side. Still, the market trend is a slippery slope: disincentives often remain against the individual bona fide researchers even when CVD guidelines have been followed. The resounding chilling effect potentially drives more would-be bona fide researchers towards alternative means of engagement with less oversight – a net loss for all.“