Roadmap to a Vulnerability Disclosure Program


Presented by: Joe Basirico, Security Innovation



In today’s environment there is no arguing that a comprehensive secure development process is necessary. Fitting tools, technology, and security reviews into our current development cycle has become table stakes for companies building the software of tomorrow. 

Breaking the ”find and fix” vulnerability based assessment cycle so that software is developed with security in mind from start to finish is critically important, but doing this without leveraging a collaborative and social security program that leverages bug bounty programs, security researchers, and every aspect of vulnerability disclosure misses a huge opportunity. 

In this talk we will explore how your security program can reach beyond the Secure SDLC. We will discuss: 

  • Vulnerability Disclosure Programs - Why you want to invite security researchers to hack your products 
  • Marketing your Security Program - How and why to market your security program. What to say, how to say it, and where to say it for maximum effectiveness. 
  • How to Communicate with Security Researchers - What are security researchers expecting in communication, responsiveness, transparency, and time to fix. 
  • Vulnerability Disclosure Options - What public vs. responsible disclosure means and how to handle each 
  • Integration with an Existing Security Program - You may already be training your developers, using outside vendors, and performing internal security testing, where do these other aspects fit in? 


Download a PDF of this webinar presentation:

Cybersecurity, Risk Management