Over the last five years, we have publicly disclosed the details about dozens of software vulnerabilities with varying degrees of severity and their effect on a wide range of vendors including Oracle, Pulse Secure, Microsoft, Antidote, and Akamai. We have acquired hard-earned experience on the difficulty faced dealing with clients and vendors, the risks and benefits of public disclosure, and many unanticipated corner cases of handling these new types of software weapons. This presentation will go over many cases of previously discovered and disclosed vulnerabilities and attempt to extract lessons to convince more organizations of the ethical obligation to do so, as well as solutions for managing responsible disclosure in the enterprise. Doing so will help Canada have a stronger IT security posture.
